https://feed.craftedsignal.io/tags/reverse-proxy/Trending threats, MITRE ATT&CK coverage, and detection metadata — refreshed continuously.Hugoenhello@craftedsignal.iohello@craftedsignal.ioWed, 03 Jan 2024 12:00:00 +0000https://feed.craftedsignal.io/briefs/2024-01-cloudflared-tunnel/Wed, 03 Jan 2024 12:00:00 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2024-01-cloudflared-tunnel/This brief detects network connection events associated with the Cloudflared tool, used to create tunnels via Cloudflare, potentially for unauthorized access or exfiltration, by establishing outbound connections to Cloudflare Edge Servers.Cloudflared is a tool that creates secure tunnels through Cloudflare’s network, similar in function to ngrok. Attackers can abuse Cloudflared to establish stealthy connections to compromised systems, bypassing traditional network security controls. The tool creates an outbound connection over HTTPS (HTTP2/QUIC) to Cloudflare Edge Servers. The tunnel controller then makes services or private networks accessible, potentially enabling data exfiltration or remote access without direct exposure of the target system. This technique has been observed in the wild, where threat actors leverage Cloudflare tunnels to mask their activities. Detecting Cloudflared connections can be challenging due to the legitimate use of the tool, but monitoring network connections for specific patterns can help identify potentially malicious activity.

Attack Chain

1. The attacker gains initial access to a target system, potentially through phishing or exploitation of a vulnerability.
2. The attacker downloads and installs the Cloudflared tool on the compromised system.
3. The attacker configures Cloudflared to create a tunnel to a Cloudflare Edge Server, specifying a local service or port to forward.
4. Cloudflared establishes an outbound connection to Cloudflare over HTTPS (HTTP2/QUIC) on port 7844.
5. The attacker uses the Cloudflare tunnel to access internal resources or exfiltrate data from the compromised system, bypassing traditional network security controls.
6. The attacker maintains persistent access through the Cloudflare tunnel, enabling ongoing command and control.
7. The attacker may use the tunnel to proxy connections to other internal systems, further expanding their reach within the network.
8. The attacker achieves their objective, such as data theft, ransomware deployment, or disruption of services.

Impact

Successful exploitation can lead to unauthorized access to internal resources, data exfiltration, and potential compromise of sensitive information. The use of Cloudflare tunnels makes it difficult to trace the attacker’s origin, hindering incident response efforts. Abuse of Cloudflared may lead to full system compromise, intellectual property theft, and reputational damage. While no specific victim counts or sector targeting is identified in this source, the increasing abuse of Cloudflare tunnels by hackers is noted by BleepingComputer.

Recommendation

• Deploy the “Detect Potential Cloudflared Network Tunnel” Sigma rule to your SIEM and tune it for your environment, focusing on Network_Traffic.All_Traffic data model, dest_port 7844, and associated network connection details.
• Implement Sysmon Event ID 3 (Network Connect) logging to provide the data necessary for the provided Sigma rule.
• Filter alerts generated by the Sigma rule based on known and approved Cloudflared deployments within the organization to reduce false positives, as noted in the “known_false_positives” section.
• Review network connection logs for outbound connections to Cloudflare Edge Servers on destination port 7844, as highlighted in the attack chain, to identify potential unauthorized Cloudflared usage.
• Investigate endpoints exhibiting suspicious network connection behavior involving Cloudflared, focusing on process ancestry and command-line arguments.

]]>mediumadvisorycloudflaredreverse-proxytunnelingnetwork-tunnelhttps://feed.craftedsignal.io/briefs/2024-01-03-cloudflared-tunnel-execution/Wed, 03 Jan 2024 12:00:00 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2024-01-03-cloudflared-tunnel-execution/Attackers are increasingly abusing Cloudflare tunnels, created via the cloudflared client, for establishing stealthy command and control channels and evading network defenses by proxying traffic through Cloudflare's infrastructure.Cloudflared is a legitimate tool used to create secure tunnels through the Cloudflare network, providing access to services or private networks behind a firewall without opening inbound ports. Attackers are abusing cloudflared in a similar fashion to ngrok, to establish reverse tunnels, creating stealthy command and control (C2) channels. By leveraging Cloudflare’s infrastructure, attackers can effectively mask their malicious traffic, making it difficult to detect and block. This technique has been observed in the wild with increasing frequency, posing a significant challenge to traditional network security monitoring. Defenders should monitor for suspicious cloudflared command-line arguments and network activity.

Attack Chain

1. The attacker gains initial access to a compromised system, often through phishing or exploiting a vulnerability.
2. The attacker downloads the cloudflared client onto the compromised system. This can be achieved through various methods, including PowerShell or command-line execution.
3. The attacker executes the cloudflared client with specific command-line arguments to establish a tunnel. This includes specifying a run token, a URL pointing to a local service (localhost), or a pre-configured tunnel configuration.
4. Cloudflared establishes an outbound connection to Cloudflare’s edge servers over HTTPS (HTTP2/QUIC), creating a tunnel controller.
5. The attacker proxies traffic through the Cloudflare tunnel to a command and control (C2) server, masking the origin of the traffic.
6. The attacker uses the established tunnel for various malicious activities, such as data exfiltration, lateral movement, or deploying ransomware.
7. The attacker maintains persistence by configuring cloudflared to run automatically on system startup or through scheduled tasks.

Impact

Successful exploitation allows attackers to establish persistent, stealthy command and control channels, bypassing traditional network security controls. This can lead to data exfiltration, ransomware deployment, and other malicious activities. The abuse of Cloudflare tunnels makes it difficult to trace the origin of the attack, hindering incident response efforts. Without proper detection, organizations may be unaware of the presence of malicious actors within their network.

Recommendation

• Monitor process creation events (Sysmon EventID 1, Windows Event Log Security 4688) for command-line arguments associated with cloudflared execution, specifically looking for “tunnel”, “run”, “token”, “–url”, and “localhost” (see the provided Splunk search query).
• Implement the provided Sigma rules to detect suspicious cloudflared tunnel execution based on command-line arguments.
• Review and filter alerts generated by the Sigma rules based on approved usage and trusted users to reduce false positives, as legitimate DevOps or IT teams may use Cloudflared.
• Inspect network connections for outbound traffic to Cloudflare’s infrastructure originating from unusual or unauthorized processes to identify potential tunnel abuse.

]]>highadvisorycloudflarereverse-proxytunnelcommand-and-controlhttps://feed.craftedsignal.io/briefs/2024-01-devtunnels-execution/Wed, 03 Jan 2024 10:00:00 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2024-01-devtunnels-execution/The execution of Microsoft devtunnels.exe can be abused by attackers to expose compromised systems to the internet, establish covert communication channels, and bypass network security measures, facilitating data exfiltration or command-and-control.Microsoft Devtunnels, a feature within Visual Studio, enables developers to expose local development environments to the internet via secure tunnels. While designed for legitimate testing and debugging, attackers can abuse this functionality to establish covert communication channels from compromised systems. By executing devtunnel.exe or loading devtunnel.dll, an attacker can bypass network security measures and blend malicious activity with legitimate development traffic. This allows for remote access, data exfiltration, or command-and-control communications, making detection more challenging. This technique could be used to expose internal services or systems without proper authentication to the outside world, potentially leading to further compromise.

Attack Chain

1. Initial compromise of a system via typical methods (e.g., phishing, exploit).
2. Attacker gains a foothold and establishes persistence on the compromised system.
3. Attacker executes devtunnel.exe or loads devtunnel.dll.
4. The Dev Tunnels feature is configured to expose a service or the entire system to the internet.
5. A secure, temporary tunnel is established, bypassing normal network security measures.
6. The attacker uses the tunnel to remotely access the compromised system.
7. Data exfiltration or command-and-control activities are performed through the tunnel.
8. The attacker maintains persistent access and control over the compromised system, blending their activities with legitimate development traffic.

Impact

Successful exploitation allows attackers to create covert communication channels, bypass network security measures, and exfiltrate sensitive data. The use of Dev Tunnels can make it difficult to detect malicious activity, as it blends in with legitimate development traffic. This can lead to prolonged access to compromised systems and significant data breaches. Lateral movement may be easier if internal services are exposed through the tunnel. The number of victims and the extent of the damage depend on the specific targets and the attacker’s objectives.

Recommendation

• Implement the Sigma rules provided in this brief to detect the execution of devtunnel.exe and the loading of devtunnel.dll within your environment.
• Monitor process creation events (Sysmon EventID 1, Windows Event Log Security 4688, CrowdStrike ProcessRollup2) for the execution of devtunnel.exe.
• Investigate any instances of devtunnel.exe execution, especially those originating from unusual locations or user accounts.
• Filter alerts (as mentioned in the known_false_positives) for approved development environments and users to reduce false positives.
• Enable Sysmon process-creation logging to ensure the effectiveness of the provided Sigma rules.

]]>highadvisorydevtunnelsreverse-proxycommand-and-controldefense-evasionwindowshttps://feed.craftedsignal.io/briefs/2024-01-02-devtunnels-image-load/Tue, 02 Jan 2024 12:00:00 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2024-01-02-devtunnels-image-load/This detection identifies potential misuse of Microsoft Devtunnels within Visual Studio by detecting image load events, indicating that an attacker could expose a compromised system or service to the internet for covert communication and data exfiltration.Microsoft Devtunnels, a feature within Visual Studio, allows developers to expose their local development environment to the internet through secure, temporary tunnels. While intended for legitimate purposes like testing webhooks and APIs, attackers can abuse this functionality. By exploiting Devtunnels, a malicious actor could expose a compromised system to the internet, establishing a covert communication channel that circumvents traditional network security measures. This unauthorized access enables data exfiltration, command-and-control (C2) communications, and further compromise of the environment while blending the malicious activity with legitimate development traffic. Defenders should monitor for anomalous image loads associated with Devtunnels to identify potential misuse.

Attack Chain

1. Attacker compromises a system within the target network.
2. Attacker installs or leverages an existing Visual Studio installation on the compromised system.
3. The attacker configures Microsoft Devtunnels to expose the compromised system to the internet. This may involve creating a new tunnel or hijacking an existing one.
4. A malicious DLL (devtunnel.dll) is loaded from the temp directory (*\\AppData\\Local\\Temp\\.net\\devtunnel\\*) to establish the tunnel.
5. The attacker uses the established Devtunnel to create a reverse proxy to bypass network security measures.
6. The attacker uses the Devtunnel for command and control, sending commands and receiving responses from the compromised system.
7. The attacker exfiltrates sensitive data from the compromised system through the Devtunnel.

Impact

Successful exploitation of Microsoft Devtunnels can lead to significant security breaches. Attackers can establish persistent covert communication channels, exfiltrate sensitive data, and maintain long-term control over compromised systems. This can result in financial losses, reputational damage, and legal liabilities. The use of Devtunnels can bypass existing network security measures, making detection challenging and increasing the dwell time of attackers within the network.

Recommendation

• Enable Sysmon EventID 7 to monitor image load events, which is the data source for the provided detection rule.
• Deploy the Sigma rule Detect Devtunnels Image Load to your SIEM and tune the filter windows_devtunnels_image_loaded_filter for your environment to reduce false positives from legitimate developer activity.
• Monitor network traffic for connections associated with Devtunnels to identify potential covert communication channels.
• Investigate any alerts triggered by the Detect Devtunnels Image Load rule, focusing on systems with development tools installed.

]]>mediumadvisorydevtunnelsreverse-proxycommand-and-controldata-exfiltrationwindows