{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/products/cloudflared/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Cloudflared","Splunk Enterprise","Splunk Enterprise Security","Splunk Cloud"],"_cs_severities":["medium"],"_cs_tags":["cloudflared","reverse-proxy","tunneling","network-tunnel"],"_cs_type":"advisory","_cs_vendors":["Cloudflare","Splunk"],"content_html":"\u003cp\u003eCloudflared is a tool that creates secure tunnels through Cloudflare\u0026rsquo;s network, similar in function to ngrok. Attackers can abuse Cloudflared to establish stealthy connections to compromised systems, bypassing traditional network security controls. The tool creates an outbound connection over HTTPS (HTTP2/QUIC) to Cloudflare Edge Servers. The tunnel controller then makes services or private networks accessible, potentially enabling data exfiltration or remote access without direct exposure of the target system. This technique has been observed in the wild, where threat actors leverage Cloudflare tunnels to mask their activities. Detecting Cloudflared connections can be challenging due to the legitimate use of the tool, but monitoring network connections for specific patterns can help identify potentially malicious activity.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker gains initial access to a target system, potentially through phishing or exploitation of a vulnerability.\u003c/li\u003e\n\u003cli\u003eThe attacker downloads and installs the Cloudflared tool on the compromised system.\u003c/li\u003e\n\u003cli\u003eThe attacker configures Cloudflared to create a tunnel to a Cloudflare Edge Server, specifying a local service or port to forward.\u003c/li\u003e\n\u003cli\u003eCloudflared establishes an outbound connection to Cloudflare over HTTPS (HTTP2/QUIC) on port 7844.\u003c/li\u003e\n\u003cli\u003eThe attacker uses the Cloudflare tunnel to access internal resources or exfiltrate data from the compromised system, bypassing traditional network security controls.\u003c/li\u003e\n\u003cli\u003eThe attacker maintains persistent access through the Cloudflare tunnel, enabling ongoing command and control.\u003c/li\u003e\n\u003cli\u003eThe attacker may use the tunnel to proxy connections to other internal systems, further expanding their reach within the network.\u003c/li\u003e\n\u003cli\u003eThe attacker achieves their objective, such as data theft, ransomware deployment, or disruption of services.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation can lead to unauthorized access to internal resources, data exfiltration, and potential compromise of sensitive information. The use of Cloudflare tunnels makes it difficult to trace the attacker\u0026rsquo;s origin, hindering incident response efforts. Abuse of Cloudflared may lead to full system compromise, intellectual property theft, and reputational damage. While no specific victim counts or sector targeting is identified in this source, the increasing abuse of Cloudflare tunnels by hackers is noted by BleepingComputer.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the \u0026ldquo;Detect Potential Cloudflared Network Tunnel\u0026rdquo; Sigma rule to your SIEM and tune it for your environment, focusing on \u003ccode\u003eNetwork_Traffic.All_Traffic\u003c/code\u003e data model, dest_port 7844, and associated network connection details.\u003c/li\u003e\n\u003cli\u003eImplement Sysmon Event ID 3 (Network Connect) logging to provide the data necessary for the provided Sigma rule.\u003c/li\u003e\n\u003cli\u003eFilter alerts generated by the Sigma rule based on known and approved Cloudflared deployments within the organization to reduce false positives, as noted in the \u0026ldquo;known_false_positives\u0026rdquo; section.\u003c/li\u003e\n\u003cli\u003eReview network connection logs for outbound connections to Cloudflare Edge Servers on destination port 7844, as highlighted in the attack chain, to identify potential unauthorized Cloudflared usage.\u003c/li\u003e\n\u003cli\u003eInvestigate endpoints exhibiting suspicious network connection behavior involving Cloudflared, focusing on process ancestry and command-line arguments.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T12:00:00Z","date_published":"2024-01-03T12:00:00Z","id":"/briefs/2024-01-cloudflared-tunnel/","summary":"This brief detects network connection events associated with the Cloudflared tool, used to create tunnels via Cloudflare, potentially for unauthorized access or exfiltration, by establishing outbound connections to Cloudflare Edge Servers.","title":"Potential Cloudflared Network Tunnel Detection","url":"https://feed.craftedsignal.io/briefs/2024-01-cloudflared-tunnel/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Cloudflared","Splunk Enterprise","Splunk Enterprise Security","Splunk Cloud"],"_cs_severities":["high"],"_cs_tags":["cloudflare","reverse-proxy","tunnel","command-and-control"],"_cs_type":"advisory","_cs_vendors":["Cloudflare","Splunk"],"content_html":"\u003cp\u003eCloudflared is a legitimate tool used to create secure tunnels through the Cloudflare network, providing access to services or private networks behind a firewall without opening inbound ports. Attackers are abusing cloudflared in a similar fashion to ngrok, to establish reverse tunnels, creating stealthy command and control (C2) channels. By leveraging Cloudflare\u0026rsquo;s infrastructure, attackers can effectively mask their malicious traffic, making it difficult to detect and block. This technique has been observed in the wild with increasing frequency, posing a significant challenge to traditional network security monitoring. Defenders should monitor for suspicious cloudflared command-line arguments and network activity.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker gains initial access to a compromised system, often through phishing or exploiting a vulnerability.\u003c/li\u003e\n\u003cli\u003eThe attacker downloads the cloudflared client onto the compromised system. This can be achieved through various methods, including PowerShell or command-line execution.\u003c/li\u003e\n\u003cli\u003eThe attacker executes the cloudflared client with specific command-line arguments to establish a tunnel. This includes specifying a run token, a URL pointing to a local service (localhost), or a pre-configured tunnel configuration.\u003c/li\u003e\n\u003cli\u003eCloudflared establishes an outbound connection to Cloudflare\u0026rsquo;s edge servers over HTTPS (HTTP2/QUIC), creating a tunnel controller.\u003c/li\u003e\n\u003cli\u003eThe attacker proxies traffic through the Cloudflare tunnel to a command and control (C2) server, masking the origin of the traffic.\u003c/li\u003e\n\u003cli\u003eThe attacker uses the established tunnel for various malicious activities, such as data exfiltration, lateral movement, or deploying ransomware.\u003c/li\u003e\n\u003cli\u003eThe attacker maintains persistence by configuring cloudflared to run automatically on system startup or through scheduled tasks.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation allows attackers to establish persistent, stealthy command and control channels, bypassing traditional network security controls. This can lead to data exfiltration, ransomware deployment, and other malicious activities. The abuse of Cloudflare tunnels makes it difficult to trace the origin of the attack, hindering incident response efforts. Without proper detection, organizations may be unaware of the presence of malicious actors within their network.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eMonitor process creation events (Sysmon EventID 1, Windows Event Log Security 4688) for command-line arguments associated with cloudflared execution, specifically looking for \u0026ldquo;tunnel\u0026rdquo;, \u0026ldquo;run\u0026rdquo;, \u0026ldquo;token\u0026rdquo;, \u0026ldquo;\u0026ndash;url\u0026rdquo;, and \u0026ldquo;localhost\u0026rdquo; (see the provided Splunk search query).\u003c/li\u003e\n\u003cli\u003eImplement the provided Sigma rules to detect suspicious cloudflared tunnel execution based on command-line arguments.\u003c/li\u003e\n\u003cli\u003eReview and filter alerts generated by the Sigma rules based on approved usage and trusted users to reduce false positives, as legitimate DevOps or IT teams may use Cloudflared.\u003c/li\u003e\n\u003cli\u003eInspect network connections for outbound traffic to Cloudflare\u0026rsquo;s infrastructure originating from unusual or unauthorized processes to identify potential tunnel abuse.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T12:00:00Z","date_published":"2024-01-03T12:00:00Z","id":"/briefs/2024-01-03-cloudflared-tunnel-execution/","summary":"Attackers are increasingly abusing Cloudflare tunnels, created via the cloudflared client, for establishing stealthy command and control channels and evading network defenses by proxying traffic through Cloudflare's infrastructure.","title":"Potential Abuse of Cloudflare Tunnels via Cloudflared","url":"https://feed.craftedsignal.io/briefs/2024-01-03-cloudflared-tunnel-execution/"}],"language":"en","title":"CraftedSignal Threat Feed — Cloudflared","version":"https://jsonfeed.org/version/1.1"}