Back

Threat actor abuses Cloudflare tunnels to deliver remote access trojans

320 points3 monthsproofpoint.com
peanut-walrus3 months ago

The times where malicious software was served from a sketchy .ru domain or a naked IP address located at some bullet-proof hosting provider are long gone. The threat actors use the same infra as everyone else - GCP, AWS, Azure, Cloudflare, etc.

They also use the same VPNs for connecting to your machines as your grandparents do for watching Netflix.

The internet as a whole is slowly but steadily moving towards a model where IP addresses and domain names are not useful indicators for security. You can not block your users from visiting Cloudflare or AWS IP ranges and you can not block visitors to your site from major commercial VPN providers.

In addition, all the traffic is encrypted, name lookups are encrypted, so a network operator can not tell anything about what you are doing on the internet.

This is a good thing for multiple reasons. First, it improves privacy and anonymity for the internet users. Second, reducing the effectiveness of network security solutions will make us be able to phase out their usage, which makes the network dumb again and prevents ossification. And third, it forces us to tackle the underlying security issues, rather than supporting a whole industry of ineffective whack-a-mole.

entropie3 months ago

> You can not block your users from visiting Cloudflare or AWS IP ranges

Iam pretty sure reddit does. I recently needed to rewrite/patch my tumblog backend software that uses yt-dlp to download reddit videos because reddit blocked the ip ranges of hetzners dedicated servers.

I circumvented this by downloading the videos on the client via javascript and upload it to my server.

archerx3 months ago

> you can not block visitors to your site from major commercial VPN providers.

You can if you can figure out their IP ranges. Some websites already do it and it is something I am looking into.

Another thing worth doing is blocking TOR by getting the exit node ip address list. Blocking TOR has saved me a lot of grief from bad actors.

Nextgrid3 months ago

> The times where malicious software was served from a sketchy .ru domain or a naked IP address located at some bullet-proof hosting provider are long gone. The threat actors use the same infra as everyone else - GCP, AWS, Azure, Cloudflare, etc.

I guess that's a consequence of law enforcement being completely unable or unwilling to actually tackle online crime (as long as it's not inconveniencing a large corporation in very specific domains such as copyright).

Why bother with bulletproof/etc hosts or sketchy domain registrars when you can use a mainstream one and get away with it?

skeaker3 months ago

The potential downside in my eyes is that regulators won't want to wait for the underlying issues to be solved and will instead opt for more aggressive identification. The worst case scenario is if the whole internet became like Facebook, requiring an account that's inextricably linked to your real identity just to view anything.

halJordan3 months ago

This is a great summation of why KYC is coming to cloud hosting.

PhilipRoman3 months ago

Getting a bit tired of these headlines about malware "delivery" via link shorteners or similar. Yeah, guess what - people can host files on the internet in various ways, what a shocker.

tw043 months ago

This isn't a link shortener - this is a tunnel so that a user sees they're connecting to cloud flare, even though on the back-end they are landing somewhere nefarious. The end-destination is completely hidden from the end-user (and any security stack their corporation may have in place).

I don't think it's unreasonable for people to expect cloudflare to be policing their own service for malware when they're trying to pitch themselves as a security product.

marcosdumay3 months ago

That's mildly valid. We can have some expectations for Cloudfare, but not that they outright police everybody that uses their service.

At the same time, this is exactly some variation of the "random people have put malware on random internet locations" scare the GP was talking about. If "malware somewhere on the internet" is a problem, we have to fix what turns it into a problem, because we just won't fix this one.

AnonymousPlanet3 months ago

If certain subdomains keep getting subverted, a valid response is to block all those subdomains, in this case *.trycloudflare.com. It's like IP ranges of countries that don't bother with policing malicious activity.

The consequences for Cloudflare and it's legitimate users might be anything but mild.

+5
josephcsible3 months ago
skybrian3 months ago

Wouldn't anyone serious about their website being reachable everywhere get their own domain name?

It wouldn't be an issue for trying it out if you don't block it yourself.

tempest_3 months ago

Why should they not be responsible for the things they allow on their service?

(note that I don't necessarily agree but that statement is loaded)

+3
valand3 months ago
compootr3 months ago

> but not that they outright police everybody that uses their service.

Same. I think they're getting too big to care, or even to attempt to do so.

ThatMedicIsASpy3 months ago

There must be millions of piracy websites using them. Care was never there.

lynx233 months ago

Like Google, who apparently cant be assed to do the most basic automatic checks.

https://youtu.be/dwar6uZUWAo

But you're right, these big money-making companies are such snowflakes that you have to have some compassion with them, right.

palmfacehn3 months ago

DNS filtering, WAFs and curated naughty lists were never more than duct tape at best. I'm sure they are effective, but they don't approach the problem of vulnerable software or end users who download and execute untrusted software. At worst, they created an incentive for alarmist companies to scare users into using their half measures rather than comprehensively addressing the problem.

riazrizvi3 months ago

Only technical users recognize the name Cloudflare, and they know it’s a hosting service. This concern seems ridiculous to me.

rocqua3 months ago

This is about automated systems using domain reputation to block certain downloads.

Their systems are telling them that try.cloudflare.com is not a trustworthy domain, but it is so ubiquitous, that blocking them isn't feasible.

paxys3 months ago

How is that different from…any website, storage service or hosting provider on the internet?

johnklos3 months ago

You can't report it to Cloudflare in any meaningfully straightforward way and expect them to take it down. Even if you go through Cloudflare's incredibly laborious and intentionally problem riddled abuse complaint process, and even if they take down one instance, bad actors can make thousands or tens of thousands (or more), so reporting this does effectively nothing.

Cloudflare is enshittifying the Internet once again.

(I don't care if this gets downvoted by CF fans - not a single one will engage meaningfully about any point asserted here)

+2
paxys3 months ago
3np3 months ago

> I don't think it's unreasonable for people to expect cloudflare to be policing their own service

On the contrary. The tendency of those expectations turning into assumptions is the wider issue.

taspeotis3 months ago

> and any security stack their corporation may have in place

I mean if the security stack misses that (forgivable) but then allows this:

> When executed, it establishes a connection to an external file share, typically via WebDAV, to download an LNK or VBS file. When executed, the LNK/VBS executes a BAT or CMD file

It fucking sucks.

autoexec3 months ago

Just downloading a LNK or VBS file should be a massive red flag. Whoever decided that it was a good idea to hide file extensions from people by default was an idiot.

BubbleRings3 months ago

> Whoever decided….

Completely agree. And over the years I have found it sad how many people (some who considered themselves computer experts) I had to explain what extensions are, why they are needed, how to make them show, and etc.

adolph3 months ago

> The end-destination is completely hidden from the end-user

a proxy server is a server application that acts as an intermediary between a client requesting a resource and the server providing that resource.

https://en.wikipedia.org/wiki/Proxy_server

definitelyauser3 months ago

> I don't think it's unreasonable for people to expect cloudflare to be policing their own service for malware when they're trying to pitch themselves as a security product.

But you're not the customer, you're the consumer.

Are they pitching themselves as safer for the consumer?

willcipriano3 months ago

> user sees they're connecting to cloud flare

I see am connecting to Comcast, it says so right on my modem.

guizadillas3 months ago

oh no a tunneling service is used for tunneling /s

psd13 months ago

Well no, it's more like _ubiquitous tunneling service grants anonymous sign-up and thereby disguises origin and commingles traffic that Was Authenticated Somewhere with traffic that Could Be From Anyone, with the effect of opening a hole in your first line of defense_.

If you merely want to be edgy, then well done. Otherwise, a piece of advice, start by understanding the problem.

valand3 months ago

At this point --- and speaking for non power-user --- this should be an OS interaction design problem.

Framing cloudflare as the enabler is missing the bigger picture.

I remember back in the day I needed to turn off autoplay on Windows to not get accidentally infected by malicious drives.

No one was insane enough to blame the CD-RW and flash drive manufacturers.

autoexec3 months ago

> No one was insane enough to blame the CD-RW and flash drive manufacturers.

cloudflare isn't acting like a CD-RW or a flash drive. They're acting like a storefront that sells fraudulent flash drives that say they're 1TB when they're actually 200MB, or don't work at all when you plug it in, or worse catch fire. A storefront that refuses to take the faulty products off the shelves when customers complain, refuses to stop selling merchandise they sourced from criminals, and refuses to do even basic due diligence to make sure the products they sell are legitimate.

People who operate stores have a responsibility to make sure that merchandise they sell to consumers isn't fraudulent and harmful. Companies offering their services online also have a responsibility to make sure that those services aren't being used to push fraudulent and harmful content onto consumers and that they aren't acting as safe-havens for criminals.

Dylan168073 months ago

A file host is one or two orders of magnitude less involved than a store that stocks and sells products.

And if anything a file proxy is even further away.

valand3 months ago

Aside from process host and protocol, what makes it different from, let's say publicly available google drive?

psd13 months ago

I can, as a google admin, block links from outside the org; or, as a non-google admin, block google docs. The business may decide not to block, but if I have good SIEM then I can still do something, possibly inspect the file before it hits the user's desktop.

I can't block cloudflare, unless I'm willing to block half the internet. If I try to do additional inspection, I've got huge amounts of noise and I'm going to make the internet unusably slow.

+1
autoexec3 months ago
RockRobotRock3 months ago

It would be nice if Cloudflare tried a bit harder to respond to abuse reports.

I don't think they've ever acted when I've reported obvious phishing and malware hosting to them.

jeroenhd3 months ago

I don't think I've ever seen an abuse report to anyone have a direct consequence. Phishing URLs I've reported never get added to any phishing lists, malware reports seem to go to /dev/null, and reporting spammers to their hosting services/registrars only seems to increase the amount of spam received.

Cloudflare should do better, but so should the entire industry. I get why companies selling security software report on this stuff, but this stuff is just a consequence of the internet allowing inbound connections sometimes.

The takeaway from this isn't "Cloudflare bad", but "block trycloudflare.com in your DNS server unless your devs use it for some reason". Same with Ngrok and any other dev tool like that.

__MatrixMan__3 months ago

I find it bonkers that we have settled on a design for browsers under which merely clicking a link is enough to expose you to a malware threat.

It's like we received the good advice:

> don't eat things you can't identify

but somewhere along the way we got our wires crossed so now it's

> don't look at things you can't identify

But we're still acting like only an idiot would ever fail to adhere to this perfectly reasonable advice, when actually it's a recipe for having users with no idea what a real threat actually looks like.

Much better would be if you can safely click all links (just don't, you know, run it or whatever the dangerous action is) so that you can annotate what you find there as either threatening or trustworthy--the better to help out your peers.

psd13 months ago

Well, hyperlinks, SMTP, browser scripting (less so): these things come from a time when the internet was a community, not a venue for crime. The first viruses were from clever under-socialised children. It was a playground and everyone was safe.

Now we regret our naivety, but it's too late to take a systemic approach. It's all grandfathered in.

__MatrixMan__3 months ago

I think that sooner or later, the threats will become sophisticated enough to ungrandfather it.

neodymiumphish3 months ago

I actually wrote about malicious use of this very tool a year ago[0] (almost to the day). The only thing new here seems to be what they’re doing through the tunnels, and the apparent success they’re having with this method for it to increase as a proportion of their overall attack techniques.

TryCloudflare, IMO, is the real problem here. It doesn’t require an account at all, so attribution becomes nearly impossible.

0: https://www.guidepointsecurity.com/blog/tunnel-vision-cloudf...

lemax3 months ago

Isn't this what happens to every free quick tunnel product? Was kinda just waiting for this to play out. ngrok had nice zero friction tunneling when it came out but then they had to put everything behind a sign-up flow due to the same sort of abuse.

ocdtrekkie3 months ago

I would be disappointed in the attackers if it didn't. Free end-to-end encryption without any accountability tying it to a user? It's begging for abuse.

sebstefan3 months ago

If it isn's Cloudflare tunnels, it's gonna be asking google to translate some webpage you host with a payload in the URL or something

This isn't news worthy

wiradikusuma3 months ago

I guess this is why we can't have nice things on the internet (in this context, nice things from Cloudflare). Did you know you could send emails for free from Cloudflare (https://blog.cloudflare.com/sending-email-from-workers-with-...)? Well, now you couldn't. The sunsetting probably was not Clouldflare's fault, but it's more or less similar: nice service, abused.

jasongill3 months ago

For a long time, Cloudflare had a feature where you could "preview" custom CSS and HTML intended for use with their custom error pages. Basically, the preview feature just took CSS and HTML in a query string and then displayed it on cloudflarepreview.com/....

I reported it and showed how you could trivially create a page that said "Sign in to your Cloudflare account to get access to the Cloudflare beta preview!" and capture Cloudflare login credentials.

The bug bounty was closed as they said it was "accepted as the nature of the cloudflarepreview playground".

Then they fixed it by adding a JWT token to the URL (and no bounty paid).

I've been a Cloudflare customer for a long time but it seems that there are many dark corners of their products that just don't get a lot of attention until they are abused, and I suspect this TryCloudflare thing is one of them.

Terr_3 months ago

When it comes to "nobody wants to spend enough money to do moderation and anti-abuse well", it makes me wonder: Whatever happened to early PGP-era ideas that we'd somehow establish new webs of distributed trust and distrust of online identities?

I guess we sorta kinda have a little of that in the form of social-media accounts that get "trusted" based on the number of followers and their followers' followers and bots all the way down, etc. Or PageRank and SEO exploitation.

tommek40773 months ago

Everyone who is capable of your suggestion is not dumb enough to install a trojan in the first place.

stingraycharles3 months ago

Society better figure something out soon, because with all these ultra realistic deepfakes coming up, we better have a way for people to establish whether the source is authentic or not.

rustcleaner3 months ago

Nah, the ambiguity is exhilarating! :^)

xyst3 months ago

I wonder if those dreaded endpoint security programs (ie, ClownStrike) would have picked up on this type of attack.

I guess this type of traffic would only get flagged if attackers were skids (ie, re-using known RATs)

fragmede3 months ago

Picked up? You'd configure Crowdstrike to stop any random exe from running at all. Doesn't matter if the attacker's using a known bad exe or not.

aio23 months ago

Clownstrike goes crazy

rolph3 months ago

this reminds me of when those AOL free trial account disks were all over the place. in many circles an AOL subdomain would get instabanned

mrinfinitiesx3 months ago

Even the *.ipt.aol.com ban was needed because one AOLer would use the HOST.ipt.aol.com rdns to ban evade and ruin it for everybody.

Prodigy / CompuServe / Blue Light gang checking in

julesallen3 months ago

Prodigy, haven't thought about that in a lot of years, thanks for the memory tickle. Even with the painted-with-bricks interface.

GEnie was another that was kind of fun. And I still can remember my CompuServe number!

lacoolj3 months ago

My immediate internal spam/scam alarm goes off the moment I see "I hope this message finds you well"

edm0nd3 months ago

Crimeflare strikes again.

anonym293 months ago

Cloudflare has been infamous among sysadmins and threat hunters for over a decade [1,2] now for having an almost-nonexistent moderation program. Their services have been routinely abused by malicious actors for years [3,4,5,6,7] They've arguably been the single largest commercial provider for criminals globally over that time period, including non-tech criminals like drug traffickers and actual terrorists [8,9], to say nothing of aiding and abetting war criminals [10].

In fact, Cloudflare is actually the second largest DNS provider in the world by number of domains served. [11]

They are in a position to log and analyze all of the traffic they decrypt, including all of the plaintext POST data, all of the cookies, all of the origin IPs, L7 payload sizes, and traffic timestamps for over 35 million websites.

Their extensive history of indiscriminately offering "free" services to evildoers likely ties back to their true purpose, which Matthew Prince has admitted to [12], which is to sell all of those passwords, all of that PII, all of your privacy, not only to the US government, but also to other bidders.

It is no exaggeration to say that anyone opposed to spam, phishing, malware, cybercrime, terrorism, war crimes, government surveillance dragnets, and infringements upon one's own digital privacy should have nothing but utter contempt for the soulless monsters responsible for this corporate atrocity.

If you are as passionate about the subject as I am after reading some of these citations, I'd encourage you to boycott any websites using CF that you don't need to visit, and make plenty of phone calls to California senators, representatives, and the governor demanding that the state of California revoke Cloudflare's corporate charter and right to conduct business in the state.

[1] https://www.malwarebytes.com/blog/news/2014/12/free-ssl-cert...

[2] https://forum.spamcop.net/topic/14194-cloudflare-bulletproof...

[3] https://thehackernews.com/2023/08/cybercriminals-abusing-clo...

[4] https://www.threatdown.com/blog/cloudflare-tunnel-increasing...

[5] https://any.run/cybersecurity-blog/clouflare-phishing-campai...

[6] https://venturebeat.com/security/rogue-ad-network-site-likel...

[7] https://portswigger.net/daily-swig/cybercriminals-use-revers...

[8] https://www.trendmicro.com/vinfo/us/security/news/cybercrime...

[9] https://cyberscoop.com/cloudflare-ipo-terrorism-narcotics/

[10] https://www.timesofisrael.com/us-firm-helps-hamas-netanyahu-...

[11] https://bgp.he.net/report/tophosts

[12] https://0xacab.org/blockedbyriseup/deCloudflare/-/raw/master...

edm0nd3 months ago

They earned the nickname 'crimeflare' for a good reason and rightfully so.

rfl8903 months ago

> They are in a position to log and analyze all of the traffic they decrypt, including all of the plaintext POST data, all of the cookies, all of the origin IPs, L7 payload sizes, and traffic timestamps for over 35 million websites.

And equally so is whoever they trust to provide the hardware to host their website on. Most of the time, it's someone else.

(edit: Your last source is laughable. Some real conspiracy theory shit)

anonym293 months ago

And what do you reckon the chance is that Azure and AWS and GCP are extracting ephemeral TLS session keys for every inbound HTTPS traffic stream bound for their customers, and decrypting every single stream?

The chance that cloudflare is getting access to all incoming traffic in plaintext is 100%.

rfl8903 months ago

Didn't mention anything about chances. If these companies wanted they could decrypt all traffic and it's easier than how you said (just swap out a web server binary or something). Although i must admit cloudflare has a worse track record

tzs3 months ago

His last source is a word for word excerpt from a BBC article about Cloudflare, with the information coming directly from their reporter talking to the founder of Cloudflare. As far as I can tell the only thing the site he linked to added was they underlined some phrases.

When you say it is conspiracy theory shit (CTS) do you mean that what the text says is CTS, or do you mean that whatever inference the site that copied the text from the BBC is trying to get you to infer from their underlining is CTS?

rfl8903 months ago

The latter. For example, what is "tracked them” (going off memory here) even supposed to imply? Log the spammer email address and send it off whereever (which most mail services do), says the context. Just looks like a poor attempt to make cf look bad, unlike the others which cite real incidents

server_man30003 months ago

Your sources are ass man. Yah newsflash, CF is a hosting site and people make phishing pages. This shit is true with literally any cloud provider today that’s relevant on the internet.

anonym293 months ago

The difference is, legitimate non-criminal providers don't flagrantly ignore abuse reports, but thanks for leading with a petty criticism of my citations rather than refuting the core of my argument, which you can't do.

dang3 months ago

[stub for offtopicness. title casing software begs forgiveness.]

ASalazarMX3 months ago

Original title was "Threat Actor Abuses Cloudflare Tunnels to Deliver Rats", and even if I knew about malware through Cloudflare tunnels, it got my hopes too high.

LoganDark3 months ago

I thought this was a terrible pun about using tunnels to deliver rodents, not delivering remote access trojans. I don't know which I would have liked better

barryrandall3 months ago

Rodent-over-IP would be a fascinating read.

chatmasta3 months ago

There’s actually a (really superb) Rust library/program for creating reverse tunnels over TCP, that’s called Rathole [0]. We used it [1] at my last startup and were mildly worried that one day we’d need to explain to a security auditor why we had a dependency called “rathole…”

[0] https://github.com/rapiz1/rathole

[1] https://www.splitgraph.com/jumpstart/tunnel

CamelCaseName3 months ago

Now everyone knows my YC 25 idea

cedws3 months ago

It would never receive funding, viruses spread too quickly.

robertlagrant3 months ago

[flagged]

jsheard3 months ago

If history is any indication you can probably keep having the nice thing, because CF tends to look the other way when bad actors abuse their infrastructure.

ozr3 months ago

Good. It should require a court order to take someone offline.

+2
jsheard3 months ago
01HNNWZ0MV43FF3 months ago

I have to provide services to anyone with money?

weberer3 months ago

Ironically, Cloudflare removed DDoS protection from KiwiFarms without a court order due to a political pressure campaign.

scrame3 months ago

court order by who?

xyst3 months ago

Just don’t piss off Prince or {current_cf_ceo}, and you will be fine [1]

[1] https://www.businessinsider.com/the-daily-stormer-got-pushed...

dingnuts3 months ago

oh really? according to who? and for what business purpose?

+2
twisteriffic3 months ago
+2
jsheard3 months ago
+1
notamy3 months ago
+2
r1ch3 months ago
tonetegeatinst3 months ago

Counter argument and hear me out please.

Just because a few bad actors cause harm shouldn't mean everyone should be losing rights and giving up bits of their freedom because someone ruined it for everyone else.

Didn't matter what it is: weapons, or fireworks, or even the right to code. Sacrifice of everyone's rights and freedom to choose all in the name of reducing the odds of something happening seems odd. The very regulation of what someone can and can not do, while it might theoretically reduce risk (an argument for correlation not causation exists here) can't possibly oughtweigh the fact your restricting people free will and autonomy. The constant regulation and restriction of thing is our life only stifle innovation, act as barriers to entry, and force the creativity out of peoples lives.

CodeWriter233 months ago

I call it optimizing for the corner cases.

teddyh3 months ago

Remote Access Trojans, not rodents.

mikestew3 months ago

Original title has “RATs”, but that seemed to have gotten edited/autocorrected away when it got to HN. Because, damn, that’s a hack I want to read about.

stavros3 months ago

I was really eager to see how they delivered rodents via Cloudflare, but my hopes were dashed.