Potential Abuse of Cloudflare Tunnels via Cloudflared

Cloudflared is a legitimate tool used to create secure tunnels through the Cloudflare network, providing access to services or private networks behind a firewall without opening inbound ports. Attackers are abusing cloudflared in a similar fashion to ngrok, to establish reverse tunnels, creating stealthy command and control (C2) channels. By leveraging Cloudflare’s infrastructure, attackers can effectively mask their malicious traffic, making it difficult to detect and block. This technique has been observed in the wild with increasing frequency, posing a significant challenge to traditional network security monitoring. Defenders should monitor for suspicious cloudflared command-line arguments and network activity.

Attack Chain

1. The attacker gains initial access to a compromised system, often through phishing or exploiting a vulnerability.
2. The attacker downloads the cloudflared client onto the compromised system. This can be achieved through various methods, including PowerShell or command-line execution.
3. The attacker executes the cloudflared client with specific command-line arguments to establish a tunnel. This includes specifying a run token, a URL pointing to a local service (localhost), or a pre-configured tunnel configuration.
4. Cloudflared establishes an outbound connection to Cloudflare’s edge servers over HTTPS (HTTP2/QUIC), creating a tunnel controller.
5. The attacker proxies traffic through the Cloudflare tunnel to a command and control (C2) server, masking the origin of the traffic.
6. The attacker uses the established tunnel for various malicious activities, such as data exfiltration, lateral movement, or deploying ransomware.
7. The attacker maintains persistence by configuring cloudflared to run automatically on system startup or through scheduled tasks.

Impact

Successful exploitation allows attackers to establish persistent, stealthy command and control channels, bypassing traditional network security controls. This can lead to data exfiltration, ransomware deployment, and other malicious activities. The abuse of Cloudflare tunnels makes it difficult to trace the origin of the attack, hindering incident response efforts. Without proper detection, organizations may be unaware of the presence of malicious actors within their network.

Recommendation

• Monitor process creation events (Sysmon EventID 1, Windows Event Log Security 4688) for command-line arguments associated with cloudflared execution, specifically looking for “tunnel”, “run”, “token”, “–url”, and “localhost” (see the provided Splunk search query).
• Implement the provided Sigma rules to detect suspicious cloudflared tunnel execution based on command-line arguments.
• Review and filter alerts generated by the Sigma rules based on approved usage and trusted users to reduce false positives, as legitimate DevOps or IT teams may use Cloudflared.
• Inspect network connections for outbound traffic to Cloudflare’s infrastructure originating from unusual or unauthorized processes to identify potential tunnel abuse.