Security News > 2024 > August > Cybercriminals Abusing Cloudflare Tunnels to Evade Detection and Spread Malware

"A key element of their strategy was using direct syscalls to bypass security monitoring tools, decrypting layers of shellcode, and deploying the Early Bird APC queue injection to stealthily execute code and evade detection effectively."

The exploitation of TryCloudflare for malicious ends was first recorded last year, when Sysdig uncovered a cryptojacking and proxyjacking campaign dubbed LABRAT that weaponized a now-patched critical flaw in GitLab to infiltrate targets and obscure their command-and-control servers using Cloudflare tunnels.

The use of WebDAV and Server Message Block for payload staging and delivery necessitates that enterprises restrict access to external file-sharing services to only known, allow-listed servers.

"The use of Cloudflare tunnels provide the threat actors a way to use temporary infrastructure to scale their operations providing flexibility to build and take down instances in a timely manner," Proofpoint researchers Joe Wise and Selena Larson said.

"This makes it harder for defenders and traditional security measures such as relying on static blocklists. Temporary Cloudflare instances allow attackers a low-cost method to stage attacks with helper scripts, with limited exposure for detection and takedown efforts."

The findings come as the Spamhaus Project called on Cloudflare to review its anti-abuse policies following cybercriminals' exploitation of its services to mask malicious actions and enhance their operational security by means of what's called "Living-off-trusted-services".

News URL

https://thehackernews.com/2024/08/cybercriminals-abusing-cloudflare.html