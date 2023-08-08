Cloudflare Tunnel is a powerful tunneling solution that gives organizations a way to securely make internal applications and services accessible to external users while benefiting from the defenses and authentication policies enforced by the Cloudflare network. Like most tools that are meant to make infrastructure administration easier and more secure, they can also be abused by attackers.

Researchers from GuidePoint Security have reported that their teams have investigated multiple incidents this year where attackers used the Cloudflare Tunnel to maintain access to victim networks. While the attacks were not highly sophisticated, they believe more threat actors will adopt the tool because of its powerful features and ease of use.

“The key point is that cloudflared [the Cloudflare Tunnel daemon] reaches out to the Cloudflare Edge Servers, creating an outbound connection over HTTPS (HTTP2/QUIC), where the tunnel's controller makes services or private networks accessible via Cloudflare console configuration changes,” Nic Finn, a senior threat intelligence consultant at GuidePoint, said in a report. “These changes are managed through Cloudflare's Zero Trust dashboard and are used to allow external sources to directly access important services, including SSH, RDP, SMB, and others.”

Benefits for attackers using Cloudflare Tunnel

First, installing the Cloudflare Tunnel is very easy. Versions are available for Windows, macOS, and various Linux distributions, as well as for Intel and ARM CPU architectures. All that’s required is to download an executable called Cloudflared and run it. This Cloudflare Tunnel daemon is open source and developed by a trusted company, so security applications are likely to whitelist it.

The second important benefit for the attacker is that all the configurations for the tunnel can be made from their Cloudflare dashboard. All that’s required to provide the local daemon with these configurations is to provide it with a token generated by the dashboard. This also means that tunnel configuration can be updated easily and remotely anytime the attacker wants.

For example, say the attacker wants to connect to the compromised machine via SSH or Remote Desktop Protocol (RDP) or access files via SMB, but the machine only has these services enabled for the internal network. The attacker might not have access to expose these services to inbound connections in the network firewall, and even if they did, having a system suddenly receive SSH or RDP connections from a host on the internet could trigger security alerts in network monitoring products.