Attackers use Cloudflare Tunnel to proxy into victim networks

Cloudflare Tunnel is a powerful tunneling solution that gives organizations a way to securely make internal applications and services accessible to external users while benefiting from the defenses and authentication policies enforced by the Cloudflare network. Like most tools that are meant to make infrastructure administration easier and more secure, they can also be abused by attackers.

Researchers from GuidePoint Security have reported that their teams have investigated multiple incidents this year where attackers used the Cloudflare Tunnel to maintain access to victim networks. While the attacks were not highly sophisticated, they believe more threat actors will adopt the tool because of its powerful features and ease of use.

“The key point is that cloudflared [the Cloudflare Tunnel daemon] reaches out to the Cloudflare Edge Servers, creating an outbound connection over HTTPS (HTTP2/QUIC), where the tunnel’s controller makes services or private networks accessible via Cloudflare console configuration changes,” Nic Finn, a senior threat intelligence consultant at GuidePoint, said in a report. “These changes are managed through Cloudflare’s Zero Trust dashboard and are used to allow external sources to directly access important services, including SSH, RDP, SMB, and others.”

Benefits for attackers using Cloudflare Tunnel

First, installing the Cloudflare Tunnel is very easy. Versions are available for Windows, macOS, and various Linux distributions, as well as for Intel and ARM CPU architectures. All that’s required is to download an executable called Cloudflared and run it. This Cloudflare Tunnel daemon is open source and developed by a trusted company, so security applications are likely to whitelist it.

The second important benefit for the attacker is that all the configurations for the tunnel can be made from their Cloudflare dashboard. All that’s required to provide the local daemon with these configurations is to provide it with a token generated by the dashboard. This also means that tunnel configuration can be updated easily and remotely anytime the attacker wants.

For example, say the attacker wants to connect to the compromised machine via SSH or Remote Desktop Protocol (RDP) or access files via SMB, but the machine only has these services enabled for the internal network. The attacker might not have access to expose these services to inbound connections in the network firewall, and even if they did, having a system suddenly receive SSH or RDP connections from a host on the internet could trigger security alerts in network monitoring products.

By using Cloudflare Tunnel, the attacker only needs to specify in their tunnel configuration on the Cloudflare dashboard that they want to access a specific service on the local machine and the daemon will set up the bridge for them, allowing them to appear as if they’re connecting it from the local machine itself.

The clear benefit for the attacker is that from a network monitoring perspective, the traffic will be tunneled through an encrypted connection to a Cloudflare edge server. Cloudflare’s IP addresses are generally trusted so such a connection would not necessarily appear as suspicious. Also, the connection would appear as outbound — the machine connected to Cloudflare.

Cloudflare Tunnel could expose the entire network

It gets worse. Cloudflare Tunnel allows users to route an entire network IP range through the tunnel, so attackers could deploy it on one machine and then use it to access any services on the local network even if they run on different machines, essentially working as a VPN. In fact, an attacker can deploy Cloudflare WARP, Cloudflare’s VPN-like solution, on their own machine and then use the tunnel as if they were on the same network as the compromised system.

One downside is that attackers would require a Cloudflare account, which could be suspended easily once the abuse is discovered. However, Finn points out that Cloudflare offers an accountless option for deployments that are limited to a single tunnel through a feature called Try Cloudflare. This will create a unique subdomain for the tunnel on the trycloudflare.com subdomain. While it will normally only allow proxying a HTTP service, attackers could use additional tools like socat to first convert data streams for any TCP services like RDP into HTTP.

Detection and defense against compromised Cloudflare Tunnel

“Attempting to capture actionable threat intelligence from Cloudflared on a victim machine can be difficult,” Finn said. “First, Cloudflared does not store logs on the tunnel server by default. If Cloudflared is executed from a command line, the log output is sent to stdout, meaning a defender may be able to view the activity in real time but only if they have access to the process in a command prompt or terminal context. This becomes problematic if the threat actor runs Cloudflared as a service on the victim machine.

“For environments where the Cloudflared output is accessible to SOC and CTI team members, these should be reviewed to determine whether any domains have been configured in the attacker’s Cloudflare Tunnel configuration,” Finn said.

One way to detect the use of Cloudflare Tunnel is to monitor for DNS queries for several hosts including update.argotunnel.com, protocol-v2.argotunnel.com, and *.v2.argotunnel.com. The tunnel daemon will attempt to connect to the IP addresses returned by these queries, which will usually be the closest Cloudflare edge servers to the victim in different regions.

The subsequent connections to these IP addresses will occur using the QUIC protocol on port 7844, so monitoring for outbound connections to this port could indicate Cloudflare Tunnel use on a network. Of course, if Cloudflare Tunnel is already being used on the network in an authorized manner, additional filters need to be put in place such as excluding specific IP addresses where Cloudflared is known and authorized to run.

Other detection methods could include monitoring locally on machines for command line or process execution logs that contain the arguments “tunnel run -token” and related variants. File hashes for Cloudflared binary releases could also be added to a local EDR.

“It’s only a matter of time before this tool is used by many threat actors for persistence and exfiltration,” Finn said. “Defenders need to get ahead of this threat and have a clear understanding of how the tool operates. Also, policies need to be established to prevent the execution of this tool without a manual approval process. Teams need to make similar considerations establishing policies for all living-off-the-land tools that can be abused by threat actors within a network.”

Cloud Security, Cyberattacks, Network Security

Go to Source