HQ/EMEAFind out how we can help your business
Legitimate Cloudflare Tunnels are becoming a trend for numerous hackers since they could generate stealthy HTTPS connections from compromised devices. Moreover, researchers claimed that the tool could avoid firewalls and establish persistence.
Cloudflare Tunnels is a well-known feature for numerous users worldwide.
Researchers explain that Cloudflare Tunnels is a popular feature allowing users to generate secure and outbound-only connections to the Cloudflare network for web apps and servers.
In addition, threat analysts claimed that there has been a surge of hackers that leverage the tool for malicious purposes. Some capabilities it could grant its user are stealthy persistent access to a target’s network, bypassing security software solutions, and data exfiltration.
According to investigations, one command from the victim’s device is enough for the attackers to establish a discreet communication channel. Subsequently, the threat actor could alter a tunnel’s configuration, deactivate, or activate it if needed during their operations.
Experts explained that the tunnel updates as soon as its operators change the configuration in the Cloudflare Dashboard. This feature enables attackers to activate the functionality only when they want to execute malicious activities on a compromised device. Hence, threat actors could turn off the functionality to prevent detection on the network.
Furthermore, firewalls or other network protections likely only flag this process if its admins configure it to counter such threats since the HTTPS connection and data exchange happens over QUIC on port 7844.
Additionally, if an attacker wants to be more discreet, they could exploit Cloudflare’s TryCloudflare tool, enabling users to generate one-time tunnels without creating an account.
Separate research also believes that threat actors can exploit the Private Networks feature of Cloudflare to enable a prior attacker who established a tunnel to a single victim device to access a whole range of Internal IP addresses from afar.
Researchers suggest that organisations observe for specific DNS queries and use non-standard ports like 7844 to detect unauthorised use of the Cloudflare Tunnels. Finally, defenders could monitor hashes linked with client releases as Cloudflare Tunnels needs the installation of the client.
