Tunnel Hackers Exploit Cloudflare Network

Hackers are increasingly exploiting the legitimate function of Cloudflare Tunnels to establish covert HTTPS connections from infected devices, evading firewalls and maintaining long-term persistence within systems

Cloudflare Tunnels, a popular feature offered by Cloudflare, enables the creation of secure outbound connections for web servers or applications

This loophole, exploited by cybercriminals, is not entirely new. In January of this year, we reported on attackers utilizing Cloudflare Tunnels to create malicious Pypi packages for surreptitious data theft or remote device access

However, it appears that this tactic is being used more and more. Last week, researchers from Guidepoint Security noted a surge in this activity

To deploy the tunnel, Cloudflare users simply need to install one of the available CloudFlared clients for Linux, Windows, MacOS, or Docker. Once installed, the service allows access to the internet through the specified host, facilitating legitimate use cases such as resource sharing and testing

Cloudflare Tunnels offers a wide range of access controls, gateway settings, team management, and user analytics, providing a high level of control over the tunnel and the services it provides

Guidepoint researchers have found that attackers are increasingly using Cloudflare Tunnels for illicit purposes, gaining persistent hidden access to victims’ networks and exfiltrating data from infected devices

All it takes is a single command from the victim’s device, which reveals nothing other than the unique token of the attacker’s tunnel. The attacker can then modify the tunnel’s configuration in real-time, enabling or disabling it as needed

“The tunnel is updated as soon as the configuration change is made in the Cloudflare control panel, allowing attackers to enable functionality only when they need to take action on the victim’s system and then disable it to avoid detection,” explained the researchers at Guidepoint

Since the HTTPS connection and data exchange occur through the QUIC protocol on Port 7844, it is unlikely that network firewalls or other protection mechanisms will detect this process unless they have been specifically configured to do so

Furthermore, attackers can enhance their secrecy by utilizing the “Try Cloudflare” feature, which allows the creation of disposable tunnels without the need for an account registration

However, hackers are not limited to these methods. Guidepoint observed that attackers can also abuse private networks, whereby setting up a tunnel on a single infected device grants them access to the entire range of internal IP addresses

To detect unauthorized use of Cloudflare Tunnels, Guidepoint researchers recommend monitoring specific DNS checks,

/Reports, release notes, official announcements.