Tunnel Vision: CloudflareD AbuseD in the Wild

(Context: part of my job is breaking into stuff all day)<p>This is a technique commonly referred to as &quot;living off the land&quot; where an attacker makes use of a tool like cloudflared to conduct an action that would otherwise be blocked by security tools. It makes the defenders job so much harder because you now need to differentiate between your devops team being cool and a legitimate threat inside your network by looking at the exact same indicators generated by the two. Looking for things like unsigned applications making outbound network connections are removed from the defenders toolbox.<p>Yes, cloudflared does the same thing as ngrok. You&#x27;ll also find that ngrok is blocked in most corporate environments as well for posing an equal risk. As an attacker, you have a good chance of setting off alarms that (should) specifically detect ngrok.<p>I think the point of this post it to highlight that cloudflare tunnels need to be block by default as well and only allowed when there are specific approved use cases.

I feel like this is just another case of &quot;It rather involved being on the other side of this airtight hatchway&quot; [0]<p>If an attacker is capable of installing apps on your server... you&#x27;ve already lost.<p>0. <a href="https:&#x2F;&#x2F;devblogs.microsoft.com&#x2F;oldnewthing&#x2F;20060508-22&#x2F;?p=31283" rel="nofollow noreferrer">https:&#x2F;&#x2F;devblogs.microsoft.com&#x2F;oldnewthing&#x2F;20060508-22&#x2F;?p=31...</a>

I find that more and more CloudFlare is so ubiquitous that we have to use CloudFlare tools to protect ourselves from other people attacking us via CloudFlare. Here&#x27;s an example of a rule we had to put in place to block people using CloudFlare workers to scrape pages and bypass security. CloudFlare doesn&#x27;t seem to care about this kind of abuse (or maybe they do but aren&#x27;t talking about it publicly).<p>(!cf.bot_management.verified_bot) and (cf.bot_management.score lt 10 ) and len(cf.worker.upstream_zone) gt 0 and not cf.worker.upstream_zone in {&quot;&lt;zone&gt;&quot;} and (not ip.geoip.asnum eq &lt;exception as&gt;)

I don&#x27;t understand why this is news for anybody. This is just the cloudflare version of ngrok...

As an enterprise cloudflare customer, we were interested in using this product for legitimate purposes but also block internal non-legitimate access and asked them for advice how to do this.. Support wasn&#x27;t able to offer any guidance.<p>EDIT: Toned down the language.

Hmm, risking sounding like the dropbox-is-only-ftp-and-svn guy but shouldn&#x27;t any threat actor worth their salt be able to use any array of open source tools to do this? Especially if you already have access on the machine and the possibility to place binaries there?<p>The biggest risk I see is if the target is already using this for legit use cases, since I guess it would be really difficult to discern between the two.

If an attacker is capable of installing apps on your server... than anything is possible. Don&#x27;t know why mention Cloudflared other than clickbait. O Overall I&#x27;m huge fan of CF Zero Trust and tunnels. I wish documenation and examples were clear, but form a security stand point CF is one of the best security solutions we use.

I&#x27;d like to just say that I (the blog author) am not saying Cloudflared is bad. In fact my research on it makes me really want to test out its usefulness for some of my personal projects.<p>But it is important to demonstrate the ways in which this seemingly benign tool can be (and has been) used to conduct nefarious activity if not properly detected and defended against.

Well, I would say that’s a pretty good ad for legitimate uses of Cloudflare Tunnel.

We have a blanket block on QUIC traffic at work, and it continues to pay off.