Security News > 2023 > August > Hackers Abusing Cloudflare Tunnels for Covert Communications

New research has revealed that threat actors are abusing Cloudflare Tunnels to establish covert communication channels from compromised hosts and retain persistent access.

"Cloudflared is functionally very similar to ngrok," Nic Finn, a senior threat intelligence analyst at GuidePoint Security, said.

A command-line tool for Cloudflare Tunnel, cloudflared allows users to create secure connections between an origin web server and Cloudflare's nearest data center so as to hide the web server IP addresses as well as block volumetric distributed denial-of-service and brute-force login attacks.

"The tunnel updates as soon as the configuration change is made in the Cloudflare Dashboard, allowing TAs to enable functionality only when they want to conduct activities on the victim machine, then disable functionality to prevent exposure of their infrastructure," Finn explained.

"Organizations using Cloudflare services legitimately could potentially limit their services to specific data centers and generate detections for traffic like Cloudflared tunnels that route to anywhere except their specified data centers," Finn said.

To identify possible misuse of cloudflared, it's recommended that organizations implement adequate logging mechanisms to monitor for anomalous commands, DNS queries, and outbound connections, alongside blocking attempts to download the executable.

News URL

https://thehackernews.com/2023/08/hackers-abusing-cloudflare-tunnels-for.html