Threat Actor Abuses Cloudflare Tunnels to Deliver Rats
Proofpoint reported increased cybercriminal activity using Cloudflare Tunnels to deliver malware, particularly remote access trojans. Campaigns involve phishing emails and exploit temporary tunnels, necessitating adaptive cybersecurity defenses.
Read original article
Proofpoint has reported an increase in cybercriminal activity utilizing Cloudflare Tunnels to deliver malware, specifically remote access trojans (RATs). This tactic, first observed in February 2024, has gained momentum, particularly between May and July 2024, with campaigns primarily distributing Xworm, AsyncRAT, VenomRAT, GuLoader, and Remcos. Attackers exploit the TryCloudflare feature, allowing them to create temporary tunnels for remote access without account creation. Campaigns typically involve phishing emails containing URLs or attachments that lead to malicious files, which, when executed, download and install malware through a series of scripts.
The volume of these campaigns has varied significantly, impacting numerous organizations globally, with messages often themed around business topics like invoices and package deliveries. The threat actors have adapted their tactics over time, incorporating obfuscation in their scripts to evade detection. The use of Python scripts for malware delivery is notable, as it allows the installation of malware on systems without Python pre-installed.
The attack chain requires significant user interaction, providing multiple opportunities for detection before the final payload is executed. Proofpoint emphasizes the need for organizations to restrict access to external file-sharing services and to monitor for suspicious activity. The evolving tactics of these threat actors highlight the challenges in cybersecurity, necessitating adaptive defenses to counteract such sophisticated attacks.
Related
The Growing Threat of Malware Concealed Behind Cloud Services
Cybersecurity threats evolve with malware operators using cloud services like UNSTABLE and Condi botnets. FortiGuard Labs advises enhancing cloud security defenses to combat growing cybercriminal activities effectively.
Threat actors quick to weaponize PoC exploits; 6.8% of all internet traffic DDoS
Hackers exploit PoC exploits within 22 minutes of release, leaving little time for defense. Cloudflare advises using AI for quick detection rules. DDoS attacks contribute to 6.8% of daily internet traffic, rising to 12% during major events.
Cloudflare reports almost 7% of internet traffic is malicious
Cloudflare's report highlights a 7% increase in malicious internet traffic, linked to global events. Urges prompt vulnerability patching, emphasizes DDoS attacks, API security risks, and the need for proactive defense strategies.
Cloudflare reports almost 7% of internet traffic is malicious
Cloudflare's report highlights a rise in malicious internet traffic, driven by global events. It emphasizes the need for timely patching against new vulnerabilities, notes a surge in DDoS attacks, stresses API security, and warns about harmful bot traffic. Organizations are urged to adopt robust security measures.
Hackers bypass Windows SmartScreen flaw to launch malware
Cybercriminals are exploiting a Microsoft Defender vulnerability (CVE-2024-21412) to install malware undetected. Many systems remain unpatched, making them vulnerable. Users should update Windows and be cautious with email attachments.
- Many commenters express frustration with the increasing abuse of legitimate services like Cloudflare for malicious purposes.
- There is a consensus that traditional indicators of security, such as IP addresses and domain names, are becoming less effective.
- Some users highlight the challenges of attribution and moderation in the context of free services that allow anonymous usage.
- Several comments reference past experiences with similar services being exploited, indicating a pattern of abuse.
- Criticism is directed at Cloudflare for its perceived lack of action against malicious actors using its infrastructure.
15 commentsThey also use the same VPNs for connecting to your machines as your grandparents do for watching Netflix.
The internet as a whole is slowly but steadily moving towards a model where IP addresses and domain names are not useful indicators for security. You can not block your users from visiting Cloudflare or AWS IP ranges and you can not block visitors to your site from major commercial VPN providers.
In addition, all the traffic is encrypted, name lookups are encrypted, so a network operator can not tell anything about what you are doing on the internet.
This is a good thing for multiple reasons. First, it improves privacy and anonymity for the internet users. Second, reducing the effectiveness of network security solutions will make us be able to phase out their usage, which makes the network dumb again and prevents ossification. And third, it forces us to tackle the underlying security issues, rather than supporting a whole industry of ineffective whack-a-mole.
TryCloudflare, IMO, is the real problem here. It doesn’t require an account at all, so attribution becomes nearly impossible.
0: https://www.guidepointsecurity.com/blog/tunnel-vision-cloudf...
This isn't news worthy
I reported it and showed how you could trivially create a page that said "Sign in to your Cloudflare account to get access to the Cloudflare beta preview!" and capture Cloudflare login credentials.
The bug bounty was closed as they said it was "accepted as the nature of the cloudflarepreview playground".
Then they fixed it by adding a JWT token to the URL (and no bounty paid).
I've been a Cloudflare customer for a long time but it seems that there are many dark corners of their products that just don't get a lot of attention until they are abused, and I suspect this TryCloudflare thing is one of them.
I guess we sorta kinda have a little of that in the form of social-media accounts that get "trusted" based on the number of followers and their followers' followers and bots all the way down, etc. Or PageRank and SEO exploitation.
I guess this type of traffic would only get flagged if attackers were skids (ie, re-using known RATs)
In fact, Cloudflare is actually the second largest DNS provider in the world by number of domains served. [11]
They are in a position to log and analyze all of the traffic they decrypt, including all of the plaintext POST data, all of the cookies, all of the origin IPs, L7 payload sizes, and traffic timestamps for over 35 million websites.
Their extensive history of indiscriminately offering "free" services to evildoers likely ties back to their true purpose, which Matthew Prince has admitted to [12], which is to sell all of those passwords, all of that PII, all of your privacy, not only to the US government, but also to other bidders.
It is no exaggeration to say that anyone opposed to spam, phishing, malware, cybercrime, terrorism, war crimes, government surveillance dragnets, and infringements upon one's own digital privacy should have nothing but utter contempt for the soulless monsters responsible for this corporate atrocity.
If you are as passionate about the subject as I am after reading some of these citations, I'd encourage you to boycott any websites using CF that you don't need to visit, and make plenty of phone calls to California senators, representatives, and the governor demanding that the state of California revoke Cloudflare's corporate charter and right to conduct business in the state.
[1] https://www.malwarebytes.com/blog/news/2014/12/free-ssl-cert...
[2] https://forum.spamcop.net/topic/14194-cloudflare-bulletproof...
[3] https://thehackernews.com/2023/08/cybercriminals-abusing-clo...
[4] https://www.threatdown.com/blog/cloudflare-tunnel-increasing...
[5] https://any.run/cybersecurity-blog/clouflare-phishing-campai...
[6] https://venturebeat.com/security/rogue-ad-network-site-likel...
[7] https://portswigger.net/daily-swig/cybercriminals-use-revers...
[8] https://www.trendmicro.com/vinfo/us/security/news/cybercrime...
[9] https://cyberscoop.com/cloudflare-ipo-terrorism-narcotics/
[10] https://www.timesofisrael.com/us-firm-helps-hamas-netanyahu-...
[11] https://bgp.he.net/report/tophosts
[12] https://0xacab.org/blockedbyriseup/deCloudflare/-/raw/master...
Related
The Growing Threat of Malware Concealed Behind Cloud Services
Cybersecurity threats evolve with malware operators using cloud services like UNSTABLE and Condi botnets. FortiGuard Labs advises enhancing cloud security defenses to combat growing cybercriminal activities effectively.
Threat actors quick to weaponize PoC exploits; 6.8% of all internet traffic DDoS
Hackers exploit PoC exploits within 22 minutes of release, leaving little time for defense. Cloudflare advises using AI for quick detection rules. DDoS attacks contribute to 6.8% of daily internet traffic, rising to 12% during major events.
Cloudflare reports almost 7% of internet traffic is malicious
Cloudflare's report highlights a 7% increase in malicious internet traffic, linked to global events. Urges prompt vulnerability patching, emphasizes DDoS attacks, API security risks, and the need for proactive defense strategies.
Cloudflare reports almost 7% of internet traffic is malicious
Cloudflare's report highlights a rise in malicious internet traffic, driven by global events. It emphasizes the need for timely patching against new vulnerabilities, notes a surge in DDoS attacks, stresses API security, and warns about harmful bot traffic. Organizations are urged to adopt robust security measures.
Hackers bypass Windows SmartScreen flaw to launch malware
Cybercriminals are exploiting a Microsoft Defender vulnerability (CVE-2024-21412) to install malware undetected. Many systems remain unpatched, making them vulnerable. Users should update Windows and be cautious with email attachments.