Threat actor abuses Cloudflare tunnels to deliver remote access trojans

320 pointsby luu10 months ago

14 comments

The times where malicious software was served from a sketchy .ru domain or a naked IP address located at some bullet-proof hosting provider are long gone. The threat actors use the same infra as everyone else - GCP, AWS, Azure, Cloudflare, etc.They also use the same VPNs for connecting to your machines as your grandparents do for watching Netflix.The internet as a whole is slowly but steadily moving towards a model where IP addresses and domain names are not useful indicators for security. You can not block your users from visiting Cloudflare or AWS IP ranges and you can not block visitors to your site from major commercial VPN providers.In addition, all the traffic is encrypted, name lookups are encrypted, so a network operator can not tell anything about what you are doing on the internet.This is a good thing for multiple reasons. First, it improves privacy and anonymity for the internet users. Second, reducing the effectiveness of network security solutions will make us be able to phase out their usage, which makes the network dumb again and prevents ossification. And third, it forces us to tackle the underlying security issues, rather than supporting a whole industry of ineffective whack-a-mole.

评论 #41143043 未加载

评论 #41146073 未加载

评论 #41146638 未加载

评论 #41143094 未加载

评论 #41149512 未加载

评论 #41140413 未加载

PhilipRoman10 months ago

Getting a bit tired of these headlines about malware "delivery" via link shorteners or similar. Yeah, guess what - people can host files on the internet in various ways, what a shocker.

评论 #41133674 未加载

评论 #41134306 未加载

评论 #41135200 未加载

评论 #41138916 未加载

neodymiumphish10 months ago

I actually wrote about malicious use of this very tool a year ago[0] (almost to the day). The only thing new here seems to be what they’re doing through the tunnels, and the apparent success they’re having with this method for it to increase as a proportion of their overall attack techniques.TryCloudflare, IMO, is the real problem here. It doesn’t require an account at all, so attribution becomes nearly impossible.0: <a href="https://www.guidepointsecurity.com/blog/tunnel-vision-cloudflared-abused-in-the-wild/" rel="nofollow">https://www.guidepointsecurity.com/blog/tunnel-vision-cloudf...</a>

lemax10 months ago

Isn't this what happens to every free quick tunnel product? Was kinda just waiting for this to play out. ngrok had nice zero friction tunneling when it came out but then they had to put everything behind a sign-up flow due to the same sort of abuse.

评论 #41134574 未加载

sebstefan10 months ago

If it isn's Cloudflare tunnels, it's gonna be asking google to translate some webpage you host with a payload in the URL or somethingThis isn't news worthy

wiradikusuma10 months ago

I guess this is why we can't have nice things on the internet (in this context, nice things from Cloudflare). Did you know you could send emails for free from Cloudflare (<a href="https://blog.cloudflare.com/sending-email-from-workers-with-mailchannels" rel="nofollow">https://blog.cloudflare.com/sending-email-from-workers-with-...</a>)? Well, now you couldn't. The sunsetting probably was not Clouldflare's fault, but it's more or less similar: nice service, abused.

jasongill10 months ago

For a long time, Cloudflare had a feature where you could "preview" custom CSS and HTML intended for use with their custom error pages. Basically, the preview feature just took CSS and HTML in a query string and then displayed it on cloudflarepreview.com/....I reported it and showed how you could trivially create a page that said "Sign in to your Cloudflare account to get access to the Cloudflare beta preview!" and capture Cloudflare login credentials.The bug bounty was closed as they said it was "accepted as the nature of the cloudflarepreview playground".Then they fixed it by adding a JWT token to the URL (and no bounty paid).I've been a Cloudflare customer for a long time but it seems that there are many dark corners of their products that just don't get a lot of attention until they are abused, and I suspect this TryCloudflare thing is one of them.

Terr_10 months ago

When it comes to "nobody wants to spend enough money to do moderation and anti-abuse well", it makes me wonder: Whatever happened to early PGP-era ideas that we'd somehow establish new webs of distributed trust and distrust of online identities?I guess we sorta kinda have a little of that in the form of social-media accounts that get "trusted" based on the number of followers and their followers' followers and bots all the way down, etc. Or PageRank and SEO exploitation.

评论 #41138440 未加载

评论 #41138468 未加载

xyst10 months ago

I wonder if those dreaded endpoint security programs (ie, ClownStrike) would have picked up on this type of attack.I guess this type of traffic would only get flagged if attackers were skids (ie, re-using known RATs)

评论 #41135587 未加载

评论 #41134116 未加载

rolph10 months ago

this reminds me of when those AOL free trial account disks were all over the place. in many circles an AOL subdomain would get instabanned

评论 #41133557 未加载

lacoolj10 months ago

My immediate internal spam/scam alarm goes off the moment I see "I hope this message finds you well"

edm0nd10 months ago

Crimeflare strikes again.

anonym2910 months ago

Cloudflare has been infamous among sysadmins and threat hunters for over a decade [1,2] now for having an almost-nonexistent moderation program. Their services have been routinely abused by malicious actors for years [3,4,5,6,7] They've arguably been the single largest commercial provider for criminals globally over that time period, including non-tech criminals like drug traffickers and actual terrorists [8,9], to say nothing of aiding and abetting war criminals [10].In fact, Cloudflare is actually the second largest DNS provider in the world by number of domains served. [11]They are in a position to log and analyze all of the traffic they decrypt, including all of the plaintext POST data, all of the cookies, all of the origin IPs, L7 payload sizes, and traffic timestamps for over 35 million websites.Their extensive history of indiscriminately offering "free" services to evildoers likely ties back to their true purpose, which Matthew Prince has admitted to [12], which is to sell all of those passwords, all of that PII, all of your privacy, not only to the US government, but also to other bidders.It is no exaggeration to say that anyone opposed to spam, phishing, malware, cybercrime, terrorism, war crimes, government surveillance dragnets, and infringements upon one's own digital privacy should have nothing but utter contempt for the soulless monsters responsible for this corporate atrocity.If you are as passionate about the subject as I am after reading some of these citations, I'd encourage you to boycott any websites using CF that you don't need to visit, and make plenty of phone calls to California senators, representatives, and the governor demanding that the state of California revoke Cloudflare's corporate charter and right to conduct business in the state.[1] <a href="https://www.malwarebytes.com/blog/news/2014/12/free-ssl-certificate-from-cloudflare-abused-in-phishing-scam" rel="nofollow">https://www.malwarebytes.com/blog/news/2014/12/free-ssl-cert...</a>[2] <a href="https://forum.spamcop.net/topic/14194-cloudflare-bulletproof-spammer-hosting/" rel="nofollow">https://forum.spamcop.net/topic/14194-cloudflare-bulletproof...</a>[3] <a href="https://thehackernews.com/2023/08/cybercriminals-abusing-cloudflare-r2.html" rel="nofollow">https://thehackernews.com/2023/08/cybercriminals-abusing-clo...</a>[4] <a href="https://www.threatdown.com/blog/cloudflare-tunnel-increasingly-abused-by-cybercriminals/" rel="nofollow">https://www.threatdown.com/blog/cloudflare-tunnel-increasing...</a>[5] <a href="https://any.run/cybersecurity-blog/clouflare-phishing-campaign/" rel="nofollow">https://any.run/cybersecurity-blog/clouflare-phishing-campai...</a>[6] <a href="https://venturebeat.com/security/rogue-ad-network-site-likely-infected-thousands-of-users-still-operational/" rel="nofollow">https://venturebeat.com/security/rogue-ad-network-site-likel...</a>[7] <a href="https://portswigger.net/daily-swig/cybercriminals-use-reverse-tunneling-and-url-shorteners-to-launch-virtually-undetectable-phishing-campaigns" rel="nofollow">https://portswigger.net/daily-swig/cybercriminals-use-revers...</a>[8] <a href="https://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/overlapping-technologies-cybercriminals-and-terrorist-organizations" rel="nofollow">https://www.trendmicro.com/vinfo/us/security/news/cybercrime...</a>[9] <a href="https://cyberscoop.com/cloudflare-ipo-terrorism-narcotics/" rel="nofollow">https://cyberscoop.com/cloudflare-ipo-terrorism-narcotics/</a>[10] <a href="https://www.timesofisrael.com/us-firm-helps-hamas-netanyahu-keep-hackers-at-bay/" rel="nofollow">https://www.timesofisrael.com/us-firm-helps-hamas-netanyahu-...</a>[11] <a href="https://bgp.he.net/report/tophosts" rel="nofollow">https://bgp.he.net/report/tophosts</a>[12] <a href="https://0xacab.org/blockedbyriseup/deCloudflare/-/raw/master/image/federalinterest.jpg" rel="nofollow">https://0xacab.org/blockedbyriseup/deCloudflare/-/raw/master...</a>

评论 #41140144 未加载

评论 #41136757 未加载

评论 #41136715 未加载

dang10 months ago

[stub for offtopicness. title casing software begs forgiveness.]

评论 #41132730 未加载

评论 #41132423 未加载

评论 #41132504 未加载

评论 #41132426 未加载