Hackers are increasingly abusing the legitimate Cloudflare Tunnels feature to create stealthy HTTPS connections from compromised devices, bypass firewalls, and maintain long-term persistence.
The technique isn’t entirely new, as Phylum reported in January 2023 that threat actors created malicious PyPI packages that used Cloudflare Tunnels to stealthy steal data or remotely access devices.
However, it appears that more threat actors have started to use this tactic, as GuidePoint’s DFIR and GRIT teams reported last week, seeing an uptick in activity.
Abusing Cloudflare Tunnels
CloudFlare Tunnels is a popular feature provided by Cloudflare, allowing users to create secure, outbound-only connections to the Cloudflare network for web servers or applications.
Users can deploy a tunnel simply by installing one of the available cloudflared clients for Linux, Windows, macOS, and Docker.
From there, the service is exposed to the internet on a user-specified hostname to accommodate legitimate use-case scenarios such as resource sharing, testing, etc.
Cloudflare Tunnels provide a range of access controls, gateway configurations, team management, and user analytics, giving users a high degree of control over the tunnel and the exposed compromised services.
In GuidePoint’s report, the researchers say that more threat actors abuse Cloudflare Tunnels for nefarious purposes, such as gaining stealthy persistent access to the victim’s network, evading detection, and exfiltrating compromised devices’ data.
A single command from the victim’s device, which doesn’t expose anything other than the attacker’s unique tunnel token, is enough to set up the discreet communication channel. At the same time, the threat actor can modify a tunnel’s configuration, disable, and enable it as needed in real-time.
“The tunnel updates as soon as the configuration change is made in the Cloudflare Dashboard, allowing TAs to enable functionality only when they want to conduct activities on the victim machine, then disable functionality to prevent exposure of their infrastructure,” explains GuidePoint.
“For example, the TA could enable RDP connectivity, collect information from the victim machine, then disable RDP until the following day, thus lowering the chance of detection or the ability to observe the domain utilized to establish the connection.”
Because the HTTPS connection and data exchange occurs over QUIC on port 7844, it is unlikely that firewalls or other network protection solutions will flag this process unless they are specifically configured to do so.
Also, if the attacker wants to be even more stealthy, they can abuse Cloudflare’s ‘TryCloudflare‘ feature that lets users create one-time tunnels without creating an account.
To make matters worse, GuidePoint says it’s also possible to abuse Cloudflare’s ‘Private Networks’ feature to allow an attacker who has established a tunnel to a single client (victim) device to access an entire range of internal IP addresses remotely.
“Now that the private network is configured, I can pivot to devices on the local network, accessing services that are limited to local network users,” warned GuidePoint researcher Nic Finn.
To detect unauthorized use of Cloudflare Tunnels, GuidePoint recommends that organizations monitor for specific DNS queries (shared in the report) and use non-standard ports like 7844.
Furthermore, as Cloudflare Tunnel requires the installation of the ‘cloudflared‘ client, defenders can detect its use by monitoring file hashes associated with client releases.