Recent findings indicate that cybercriminals are exploiting Cloudflare Tunnels to create hidden communication paths from hacked systems, maintaining ongoing access. Cloudflared, a command-line tool for Cloudflare Tunnel, is notably similar to ngrok, but offers more free features, including hosting TCP connections. It enables secure links between a web server and Cloudflare, concealing server IP addresses and guarding against DDoS and brute-force attacks.
For hackers with advanced access on a compromised host, this presents an opportunity to establish a stronghold by generating a token to set up the tunnel from the infected machine. They can update the tunnel via the Cloudflare Dashboard, enabling activities on the target machine and then disabling them to avoid detection.
A concerning aspect is the use of the tunnel’s Private Networks feature by adversaries to access a network’s IP addresses secretly, effectively being on the same network as the compromised host. This technique has been employed in real-world attacks, as seen in two separate incidents targeting the Python Package Index (PyPI) repository, where malicious packages downloaded cloudflared for remote access via a Flask web application.
To counteract this misuse, organizations using Cloudflare can limit their services to specific data centers and set up alerts for unexpected Cloudflared tunnel traffic. Additionally, implementing robust logging to track unusual commands, DNS queries, and outbound connections, and blocking downloads of the cloudflared executable are recommended for detecting unauthorized tunnel usage.