Network-Tunnel — CraftedSignal Threat Feedhttps://feed.craftedsignal.io/tags/network-tunnel/Trending threats, MITRE ATT&CK coverage, and detection metadata — refreshed continuously.Hugoenhello@craftedsignal.iohello@craftedsignal.ioWed, 03 Jan 2024 12:00:00 +0000Potential Cloudflared Network Tunnel Detectionhttps://feed.craftedsignal.io/briefs/2024-01-cloudflared-tunnel/Wed, 03 Jan 2024 12:00:00 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2024-01-cloudflared-tunnel/This brief detects network connection events associated with the Cloudflared tool, used to create tunnels via Cloudflare, potentially for unauthorized access or exfiltration, by establishing outbound connections to Cloudflare Edge Servers.Cloudflared is a tool that creates secure tunnels through Cloudflare’s network, similar in function to ngrok. Attackers can abuse Cloudflared to establish stealthy connections to compromised systems, bypassing traditional network security controls. The tool creates an outbound connection over HTTPS (HTTP2/QUIC) to Cloudflare Edge Servers. The tunnel controller then makes services or private networks accessible, potentially enabling data exfiltration or remote access without direct exposure of the target system. This technique has been observed in the wild, where threat actors leverage Cloudflare tunnels to mask their activities. Detecting Cloudflared connections can be challenging due to the legitimate use of the tool, but monitoring network connections for specific patterns can help identify potentially malicious activity.

Attack Chain

  1. The attacker gains initial access to a target system, potentially through phishing or exploitation of a vulnerability.
  2. The attacker downloads and installs the Cloudflared tool on the compromised system.
  3. The attacker configures Cloudflared to create a tunnel to a Cloudflare Edge Server, specifying a local service or port to forward.
  4. Cloudflared establishes an outbound connection to Cloudflare over HTTPS (HTTP2/QUIC) on port 7844.
  5. The attacker uses the Cloudflare tunnel to access internal resources or exfiltrate data from the compromised system, bypassing traditional network security controls.
  6. The attacker maintains persistent access through the Cloudflare tunnel, enabling ongoing command and control.
  7. The attacker may use the tunnel to proxy connections to other internal systems, further expanding their reach within the network.
  8. The attacker achieves their objective, such as data theft, ransomware deployment, or disruption of services.

Impact

Successful exploitation can lead to unauthorized access to internal resources, data exfiltration, and potential compromise of sensitive information. The use of Cloudflare tunnels makes it difficult to trace the attacker’s origin, hindering incident response efforts. Abuse of Cloudflared may lead to full system compromise, intellectual property theft, and reputational damage. While no specific victim counts or sector targeting is identified in this source, the increasing abuse of Cloudflare tunnels by hackers is noted by BleepingComputer.

Recommendation

  • Deploy the “Detect Potential Cloudflared Network Tunnel” Sigma rule to your SIEM and tune it for your environment, focusing on Network_Traffic.All_Traffic data model, dest_port 7844, and associated network connection details.
  • Implement Sysmon Event ID 3 (Network Connect) logging to provide the data necessary for the provided Sigma rule.
  • Filter alerts generated by the Sigma rule based on known and approved Cloudflared deployments within the organization to reduce false positives, as noted in the “known_false_positives” section.
  • Review network connection logs for outbound connections to Cloudflare Edge Servers on destination port 7844, as highlighted in the attack chain, to identify potential unauthorized Cloudflared usage.
  • Investigate endpoints exhibiting suspicious network connection behavior involving Cloudflared, focusing on process ancestry and command-line arguments.
]]>mediumadvisorycloudflaredreverse-proxytunnelingnetwork-tunnel