A hacking method that exploits a legitimate Cloudflare feature to steal people’s data and pass on compromised endpoints is gaining popularity, according to a report published by cybersecurity researchers at GuidePoint.
The exploited feature is called Cloudflare tunnels, which allow users to make secure, outbound-only connections to the Cloudflare network for web servers and applications. Installation is easy and configuration is comprehensive as users are provided with ample access controls, gateway configurations, team management, and user analytics.
Once set up, the tunnel is exposed to the internet and can be used for various things like sharing resources and such.
Get up to steam
Cloudflare Tunnels are available on Linux, Windows, macOS, and Docker, and users can start using it simply by installing one of the available cloudflared clients.
However, in January 2023, Phylum cybersecurity researchers discovered some hackers creating malicious PyPI packages that used the tool to steal data or access endpoints, remotely and under the radar. All it takes is one command from the victim’s endpoint to create a discrete communication channel over which the attacker has complete control.
Now, GuidePoint states that the use of this technique for data exfiltration and to establish persistence on target devices has increased significantly.
“The tunnel is updated as soon as the configuration change is made in the Cloudflare Dashboard, allowing TAs to enable functionality only when they want to perform activities on the victim machine, then disable functionality to prevent exposure of their infrastructure,” the researchers said. “For example, the TA can enable RDP connectivity, collect information from the victim’s machine, and then disable RDP until the next day, reducing the chance of detection or the ability to observe the domain used to establish the connection , is reduced.”
The researchers say the best way to spot hackers exploiting Cloudflare tunnels is to monitor specific DNS queries in the report and use non-default ports. Since Cloudflare Tunnel requires the cloudflared client, IT teams can detect its use by tracking file hashes associated with client releases.
Through: Beeping computer