The times where malicious software was served from a sketchy .ru domain or a naked IP address located at some bullet-proof hosting provider are long gone. The threat actors use the same infra as everyone else - GCP, AWS, Azure, Cloudflare, etc.
They also use the same VPNs for connecting to your machines as your grandparents do for watching Netflix.
The internet as a whole is slowly but steadily moving towards a model where IP addresses and domain names are not useful indicators for security. You can not block your users from visiting Cloudflare or AWS IP ranges and you can not block visitors to your site from major commercial VPN providers.
In addition, all the traffic is encrypted, name lookups are encrypted, so a network operator can not tell anything about what you are doing on the internet.
This is a good thing for multiple reasons. First, it improves privacy and anonymity for the internet users. Second, reducing the effectiveness of network security solutions will make us be able to phase out their usage, which makes the network dumb again and prevents ossification. And third, it forces us to tackle the underlying security issues, rather than supporting a whole industry of ineffective whack-a-mole.
Getting a bit tired of these headlines about malware "delivery" via link shorteners or similar. Yeah, guess what - people can host files on the internet in various ways, what a shocker.
This isn't a link shortener - this is a tunnel so that a user sees they're connecting to cloud flare, even though on the back-end they are landing somewhere nefarious. The end-destination is completely hidden from the end-user (and any security stack their corporation may have in place).
I don't think it's unreasonable for people to expect cloudflare to be policing their own service for malware when they're trying to pitch themselves as a security product.
That's mildly valid. We can have some expectations for Cloudfare, but not that they outright police everybody that uses their service.
At the same time, this is exactly some variation of the "random people have put malware on random internet locations" scare the GP was talking about. If "malware somewhere on the internet" is a problem, we have to fix what turns it into a problem, because we just won't fix this one.
If certain subdomains keep getting subverted, a valid response is to block all those subdomains, in this case *.trycloudflare.com. It's like IP ranges of countries that don't bother with policing malicious activity.
The consequences for Cloudflare and it's legitimate users might be anything but mild.
Krebs on Security shared data on absolute and relative phishing abuse by top-level domain in a recent post.
Yes, .com has the highest absolute number of phishing domains, but it also has the overwhelmingly highest number of registered domains period. The relative prevalence is only 24.2, as compared with 2nd-ranked (by absolute score) .top, with a phishing domains core of 422.7. That's still not the highest listed, which is .lol at 577.5.
<https://krebsonsecurity.com/2024/07/phish-friendly-domain-re...>
If you're looking at relative benefit vs. harm from blocking, blocking TLDs with a higher relative (abusive vs. legitimate) domains score gives an additional security benefit.
Reputation-based scoring by TLD, domain, ASN, or basis is likely to become more prevalent over time. We've already been doing that for email for over a quarter century, with the Spamhaus Project being founded in 1998 (it reports abusive email domains).
Most registrars are receptive to abuse complaints and will take down domains quickly if they're being created to host content that violates ToS/AUP
TLDs that are most commonly abused actually do get blocked on a regular basis.
.ru, .io, .xyz, .cf, .tk, .ly, .top and .link are common examples
Many corporate networks block URL shortener services for the same reason
What is easy and has limited impact on your own operations will be done. Blocking *.trycloudflare.com is easy on entire fleets of servers and firewalls and has limited impact for, e.g., a company network.
People have, however, blocked .tk, .xyz, and other registrars that feature overwhelmingly in malware / scam domain lists.
All of .com? Nope.
But you can bet your ass we block newly registered domains and have an active list of domain reputations - your brand new .com or your axuuasck32213mczo.com malware domain isn't getting through any decent security tool.
If Cloudflare lets this continue, it's only a matter of time before trycloudflare.com's reputation puts them on block lists everywhere.
Wouldn't anyone serious about their website being reachable everywhere get their own domain name?
It wouldn't be an issue for trying it out if you don't block it yourself.
Why should they not be responsible for the things they allow on their service?
(note that I don't necessarily agree but that statement is loaded)
Everyone running a service on the internet has a responsibility to prevent abuse of that service. They should all have and monitor an abuse@ address where they accept notifications about problems they're causing others and they should act on those notices within a reasonable amount of time. When someone fails in that responsibility they should/will get blocked.
I hadn't heard of trycloudflare.com before, but it's blocked on my network for now. If I need to, I can re-evaluate that later.
Anyone running a service online can get caught off guard and be taken advantage of by scammers and assholes. It's an opportunity to shore up your security and monitoring. The bad actors will eventually move on to abuse easier targets and that's fine. When they do that doesn't invalidate the work someone put into making sure their service wasn't being repeatedly/routinely used to harm others.
There is a solution for this at the OS level. It's domain names, validated through DNS. Those let the user decide if they trust the other side of a connection.
Here cloudflare is showing they should nt be trusted, but because they are so big, we can't act on that. Blocking them would be bad, mocking them is the second best option.
It isnt really "putting the responsibility to mitigate this problem in its entirety" on them so much as it is "putting the responsibility to mitigate this problem * on their service * "
Large software companies seem to enjoy passing the buck in recent years if it might impact their profitability which is fine but to say the could not do anything about it incorrect. It may not be feasible to do so an still operate the service but that doesnt mean it isnt possible.
> but not that they outright police everybody that uses their service.
Same. I think they're getting too big to care, or even to attempt to do so.
There must be millions of piracy websites using them. Care was never there.
Like Google, who apparently cant be assed to do the most basic automatic checks.
But you're right, these big money-making companies are such snowflakes that you have to have some compassion with them, right.
DNS filtering, WAFs and curated naughty lists were never more than duct tape at best. I'm sure they are effective, but they don't approach the problem of vulnerable software or end users who download and execute untrusted software. At worst, they created an incentive for alarmist companies to scare users into using their half measures rather than comprehensively addressing the problem.
Only technical users recognize the name Cloudflare, and they know it’s a hosting service. This concern seems ridiculous to me.
This is about automated systems using domain reputation to block certain downloads.
Their systems are telling them that try.cloudflare.com is not a trustworthy domain, but it is so ubiquitous, that blocking them isn't feasible.
How is that different from…any website, storage service or hosting provider on the internet?
You can't report it to Cloudflare in any meaningfully straightforward way and expect them to take it down. Even if you go through Cloudflare's incredibly laborious and intentionally problem riddled abuse complaint process, and even if they take down one instance, bad actors can make thousands or tens of thousands (or more), so reporting this does effectively nothing.
Cloudflare is enshittifying the Internet once again.
(I don't care if this gets downvoted by CF fans - not a single one will engage meaningfully about any point asserted here)
Most sites are better about preventing and handling abuse of their service. When a service makes it difficult to report abuse to them, or fails to act on the abuse reports they get, they are the ones to blame.
Scammers and assholes will always exist. It's the responsibility of everyone operating a service on the internet to make sure that their service isn't acting as a safe-haven for those criminals and bad actors.
Google is somehow worse than cloudflare is. I heard recently that Google won't even accept an abuse complaint for docs.google.com unless you create and sign into a google account.
You can report a link that points to content on Google Drive or Dropbox or OneDrive or S3 or WeTransfer or MegaUpload or Bit.ly. Do you think that links pointing to any of those services are in any way anonymous?
It's not complicated.
> I don't think it's unreasonable for people to expect cloudflare to be policing their own service
On the contrary. The tendency of those expectations turning into assumptions is the wider issue.
> and any security stack their corporation may have in place
I mean if the security stack misses that (forgivable) but then allows this:
> When executed, it establishes a connection to an external file share, typically via WebDAV, to download an LNK or VBS file. When executed, the LNK/VBS executes a BAT or CMD file
It fucking sucks.
Just downloading a LNK or VBS file should be a massive red flag. Whoever decided that it was a good idea to hide file extensions from people by default was an idiot.
> Whoever decided….
Completely agree. And over the years I have found it sad how many people (some who considered themselves computer experts) I had to explain what extensions are, why they are needed, how to make them show, and etc.
> The end-destination is completely hidden from the end-user
a proxy server is a server application that acts as an intermediary between a client requesting a resource and the server providing that resource.
> I don't think it's unreasonable for people to expect cloudflare to be policing their own service for malware when they're trying to pitch themselves as a security product.
But you're not the customer, you're the consumer.
Are they pitching themselves as safer for the consumer?
> user sees they're connecting to cloud flare
I see am connecting to Comcast, it says so right on my modem.
oh no a tunneling service is used for tunneling /s
Well no, it's more like _ubiquitous tunneling service grants anonymous sign-up and thereby disguises origin and commingles traffic that Was Authenticated Somewhere with traffic that Could Be From Anyone, with the effect of opening a hole in your first line of defense_.
If you merely want to be edgy, then well done. Otherwise, a piece of advice, start by understanding the problem.
At this point --- and speaking for non power-user --- this should be an OS interaction design problem.
Framing cloudflare as the enabler is missing the bigger picture.
I remember back in the day I needed to turn off autoplay on Windows to not get accidentally infected by malicious drives.
No one was insane enough to blame the CD-RW and flash drive manufacturers.
> No one was insane enough to blame the CD-RW and flash drive manufacturers.
cloudflare isn't acting like a CD-RW or a flash drive. They're acting like a storefront that sells fraudulent flash drives that say they're 1TB when they're actually 200MB, or don't work at all when you plug it in, or worse catch fire. A storefront that refuses to take the faulty products off the shelves when customers complain, refuses to stop selling merchandise they sourced from criminals, and refuses to do even basic due diligence to make sure the products they sell are legitimate.
People who operate stores have a responsibility to make sure that merchandise they sell to consumers isn't fraudulent and harmful. Companies offering their services online also have a responsibility to make sure that those services aren't being used to push fraudulent and harmful content onto consumers and that they aren't acting as safe-havens for criminals.
A file host is one or two orders of magnitude less involved than a store that stocks and sells products.
And if anything a file proxy is even further away.
Aside from process host and protocol, what makes it different from, let's say publicly available google drive?
I can, as a google admin, block links from outside the org; or, as a non-google admin, block google docs. The business may decide not to block, but if I have good SIEM then I can still do something, possibly inspect the file before it hits the user's desktop.
I can't block cloudflare, unless I'm willing to block half the internet. If I try to do additional inspection, I've got huge amounts of noise and I'm going to make the internet unusably slow.
I quite like the status quo. I don't want Cloudflare or Google to block the files I'm trying to download just because they got a bunch of reports from clueless people or bots.
I want both to behave like dumb pipes. They don't have enough context to make any decisions like the ones you described. Ideally everything would be end to end encrypted so it'd be impossible for them to make the decision for me.
It would be nice if Cloudflare tried a bit harder to respond to abuse reports.
I don't think they've ever acted when I've reported obvious phishing and malware hosting to them.
I don't think I've ever seen an abuse report to anyone have a direct consequence. Phishing URLs I've reported never get added to any phishing lists, malware reports seem to go to /dev/null, and reporting spammers to their hosting services/registrars only seems to increase the amount of spam received.
Cloudflare should do better, but so should the entire industry. I get why companies selling security software report on this stuff, but this stuff is just a consequence of the internet allowing inbound connections sometimes.
The takeaway from this isn't "Cloudflare bad", but "block trycloudflare.com in your DNS server unless your devs use it for some reason". Same with Ngrok and any other dev tool like that.
I find it bonkers that we have settled on a design for browsers under which merely clicking a link is enough to expose you to a malware threat.
It's like we received the good advice:
> don't eat things you can't identify
but somewhere along the way we got our wires crossed so now it's
> don't look at things you can't identify
But we're still acting like only an idiot would ever fail to adhere to this perfectly reasonable advice, when actually it's a recipe for having users with no idea what a real threat actually looks like.
Much better would be if you can safely click all links (just don't, you know, run it or whatever the dangerous action is) so that you can annotate what you find there as either threatening or trustworthy--the better to help out your peers.
Well, hyperlinks, SMTP, browser scripting (less so): these things come from a time when the internet was a community, not a venue for crime. The first viruses were from clever under-socialised children. It was a playground and everyone was safe.
Now we regret our naivety, but it's too late to take a systemic approach. It's all grandfathered in.
I think that sooner or later, the threats will become sophisticated enough to ungrandfather it.
I actually wrote about malicious use of this very tool a year ago[0] (almost to the day). The only thing new here seems to be what they’re doing through the tunnels, and the apparent success they’re having with this method for it to increase as a proportion of their overall attack techniques.
TryCloudflare, IMO, is the real problem here. It doesn’t require an account at all, so attribution becomes nearly impossible.
0: https://www.guidepointsecurity.com/blog/tunnel-vision-cloudf...
Isn't this what happens to every free quick tunnel product? Was kinda just waiting for this to play out. ngrok had nice zero friction tunneling when it came out but then they had to put everything behind a sign-up flow due to the same sort of abuse.
I would be disappointed in the attackers if it didn't. Free end-to-end encryption without any accountability tying it to a user? It's begging for abuse.
If it isn's Cloudflare tunnels, it's gonna be asking google to translate some webpage you host with a payload in the URL or something
This isn't news worthy
I guess this is why we can't have nice things on the internet (in this context, nice things from Cloudflare). Did you know you could send emails for free from Cloudflare (https://blog.cloudflare.com/sending-email-from-workers-with-...)? Well, now you couldn't. The sunsetting probably was not Clouldflare's fault, but it's more or less similar: nice service, abused.
For a long time, Cloudflare had a feature where you could "preview" custom CSS and HTML intended for use with their custom error pages. Basically, the preview feature just took CSS and HTML in a query string and then displayed it on cloudflarepreview.com/....
I reported it and showed how you could trivially create a page that said "Sign in to your Cloudflare account to get access to the Cloudflare beta preview!" and capture Cloudflare login credentials.
The bug bounty was closed as they said it was "accepted as the nature of the cloudflarepreview playground".
Then they fixed it by adding a JWT token to the URL (and no bounty paid).
I've been a Cloudflare customer for a long time but it seems that there are many dark corners of their products that just don't get a lot of attention until they are abused, and I suspect this TryCloudflare thing is one of them.
When it comes to "nobody wants to spend enough money to do moderation and anti-abuse well", it makes me wonder: Whatever happened to early PGP-era ideas that we'd somehow establish new webs of distributed trust and distrust of online identities?
I guess we sorta kinda have a little of that in the form of social-media accounts that get "trusted" based on the number of followers and their followers' followers and bots all the way down, etc. Or PageRank and SEO exploitation.
Everyone who is capable of your suggestion is not dumb enough to install a trojan in the first place.
Society better figure something out soon, because with all these ultra realistic deepfakes coming up, we better have a way for people to establish whether the source is authentic or not.
Nah, the ambiguity is exhilarating! :^)
I wonder if those dreaded endpoint security programs (ie, ClownStrike) would have picked up on this type of attack.
I guess this type of traffic would only get flagged if attackers were skids (ie, re-using known RATs)
Picked up? You'd configure Crowdstrike to stop any random exe from running at all. Doesn't matter if the attacker's using a known bad exe or not.
Clownstrike goes crazy
this reminds me of when those AOL free trial account disks were all over the place. in many circles an AOL subdomain would get instabanned
Even the *.ipt.aol.com ban was needed because one AOLer would use the HOST.ipt.aol.com rdns to ban evade and ruin it for everybody.
Prodigy / CompuServe / Blue Light gang checking in
Prodigy, haven't thought about that in a lot of years, thanks for the memory tickle. Even with the painted-with-bricks interface.
GEnie was another that was kind of fun. And I still can remember my CompuServe number!
My immediate internal spam/scam alarm goes off the moment I see "I hope this message finds you well"
Crimeflare strikes again.
Cloudflare has been infamous among sysadmins and threat hunters for over a decade [1,2] now for having an almost-nonexistent moderation program. Their services have been routinely abused by malicious actors for years [3,4,5,6,7] They've arguably been the single largest commercial provider for criminals globally over that time period, including non-tech criminals like drug traffickers and actual terrorists [8,9], to say nothing of aiding and abetting war criminals [10].
In fact, Cloudflare is actually the second largest DNS provider in the world by number of domains served. [11]
They are in a position to log and analyze all of the traffic they decrypt, including all of the plaintext POST data, all of the cookies, all of the origin IPs, L7 payload sizes, and traffic timestamps for over 35 million websites.
Their extensive history of indiscriminately offering "free" services to evildoers likely ties back to their true purpose, which Matthew Prince has admitted to [12], which is to sell all of those passwords, all of that PII, all of your privacy, not only to the US government, but also to other bidders.
It is no exaggeration to say that anyone opposed to spam, phishing, malware, cybercrime, terrorism, war crimes, government surveillance dragnets, and infringements upon one's own digital privacy should have nothing but utter contempt for the soulless monsters responsible for this corporate atrocity.
If you are as passionate about the subject as I am after reading some of these citations, I'd encourage you to boycott any websites using CF that you don't need to visit, and make plenty of phone calls to California senators, representatives, and the governor demanding that the state of California revoke Cloudflare's corporate charter and right to conduct business in the state.
[1] https://www.malwarebytes.com/blog/news/2014/12/free-ssl-cert...
[2] https://forum.spamcop.net/topic/14194-cloudflare-bulletproof...
[3] https://thehackernews.com/2023/08/cybercriminals-abusing-clo...
[4] https://www.threatdown.com/blog/cloudflare-tunnel-increasing...
[5] https://any.run/cybersecurity-blog/clouflare-phishing-campai...
[6] https://venturebeat.com/security/rogue-ad-network-site-likel...
[7] https://portswigger.net/daily-swig/cybercriminals-use-revers...
[8] https://www.trendmicro.com/vinfo/us/security/news/cybercrime...
[9] https://cyberscoop.com/cloudflare-ipo-terrorism-narcotics/
[10] https://www.timesofisrael.com/us-firm-helps-hamas-netanyahu-...
[11] https://bgp.he.net/report/tophosts
[12] https://0xacab.org/blockedbyriseup/deCloudflare/-/raw/master...
They earned the nickname 'crimeflare' for a good reason and rightfully so.
> They are in a position to log and analyze all of the traffic they decrypt, including all of the plaintext POST data, all of the cookies, all of the origin IPs, L7 payload sizes, and traffic timestamps for over 35 million websites.
And equally so is whoever they trust to provide the hardware to host their website on. Most of the time, it's someone else.
(edit: Your last source is laughable. Some real conspiracy theory shit)
And what do you reckon the chance is that Azure and AWS and GCP are extracting ephemeral TLS session keys for every inbound HTTPS traffic stream bound for their customers, and decrypting every single stream?
The chance that cloudflare is getting access to all incoming traffic in plaintext is 100%.
Didn't mention anything about chances. If these companies wanted they could decrypt all traffic and it's easier than how you said (just swap out a web server binary or something). Although i must admit cloudflare has a worse track record
His last source is a word for word excerpt from a BBC article about Cloudflare, with the information coming directly from their reporter talking to the founder of Cloudflare. As far as I can tell the only thing the site he linked to added was they underlined some phrases.
When you say it is conspiracy theory shit (CTS) do you mean that what the text says is CTS, or do you mean that whatever inference the site that copied the text from the BBC is trying to get you to infer from their underlining is CTS?
The latter. For example, what is "tracked them” (going off memory here) even supposed to imply? Log the spammer email address and send it off whereever (which most mail services do), says the context. Just looks like a poor attempt to make cf look bad, unlike the others which cite real incidents
Your sources are ass man. Yah newsflash, CF is a hosting site and people make phishing pages. This shit is true with literally any cloud provider today that’s relevant on the internet.
The difference is, legitimate non-criminal providers don't flagrantly ignore abuse reports, but thanks for leading with a petty criticism of my citations rather than refuting the core of my argument, which you can't do.
[stub for offtopicness. title casing software begs forgiveness.]
Original title was "Threat Actor Abuses Cloudflare Tunnels to Deliver Rats", and even if I knew about malware through Cloudflare tunnels, it got my hopes too high.
I thought this was a terrible pun about using tunnels to deliver rodents, not delivering remote access trojans. I don't know which I would have liked better
Rodent-over-IP would be a fascinating read.
There’s actually a (really superb) Rust library/program for creating reverse tunnels over TCP, that’s called Rathole [0]. We used it [1] at my last startup and were mildly worried that one day we’d need to explain to a security auditor why we had a dependency called “rathole…”
Now everyone knows my YC 25 idea
It would never receive funding, viruses spread too quickly.
[flagged]
If history is any indication you can probably keep having the nice thing, because CF tends to look the other way when bad actors abuse their infrastructure.
Good. It should require a court order to take someone offline.
DDoS isn't protected by Cloudflare and is already illegal, hence the court orders which get them to act.
What you are asking for is KYC to be implemented.
I think the suggestion in the parent comment leaves room for a court order that bars providing service to certain individuals/organizations.
I have to provide services to anyone with money?
Ironically, Cloudflare removed DDoS protection from KiwiFarms without a court order due to a political pressure campaign.
court order by who?
Just don’t piss off Prince or {current_cf_ceo}, and you will be fine [1]
[1] https://www.businessinsider.com/the-daily-stormer-got-pushed...
oh really? according to who? and for what business purpose?
Unless CF is actually hosting the site, which is rare, the most they can do is no longer act as pass through. In which case, your problem isn't actually solved, they just move to another provider who offers similar.
You instead want to be talking to browser and search engine providers and reporting there, as well as your government for illegal activities.
I find that the domain registrar takes action more often than not (I guess because they're bound to ICANN's regulations), then the moment the domain is stopped Cloudflare sends an automated e-mail saying that they don't host the website because the DNS records stopped resolving.
Is the problem that the stressor services don't have robust KYC?
> Given that CFs bread and butter is selling DDoS mitigation this is a blatant conflict of interest.
There is no conflict when the goal is making money. They'll be glad to look the other way.
[flagged]
The more DDoS there are, the more business CF gets. Take your own conclusions…
so report them? this is like complaining that their domains are registered by GoDaddy, or their packets are delivered through the Internet by hurricane electric, or their local power company keeps their lights on
Counter argument and hear me out please.
Just because a few bad actors cause harm shouldn't mean everyone should be losing rights and giving up bits of their freedom because someone ruined it for everyone else.
Didn't matter what it is: weapons, or fireworks, or even the right to code. Sacrifice of everyone's rights and freedom to choose all in the name of reducing the odds of something happening seems odd. The very regulation of what someone can and can not do, while it might theoretically reduce risk (an argument for correlation not causation exists here) can't possibly oughtweigh the fact your restricting people free will and autonomy. The constant regulation and restriction of thing is our life only stifle innovation, act as barriers to entry, and force the creativity out of peoples lives.
I call it optimizing for the corner cases.
Remote Access Trojans, not rodents.
Original title has “RATs”, but that seemed to have gotten edited/autocorrected away when it got to HN. Because, damn, that’s a hack I want to read about.
I was really eager to see how they delivered rodents via Cloudflare, but my hopes were dashed.
> You can not block your users from visiting Cloudflare or AWS IP ranges
Iam pretty sure reddit does. I recently needed to rewrite/patch my tumblog backend software that uses yt-dlp to download reddit videos because reddit blocked the ip ranges of hetzners dedicated servers.
I circumvented this by downloading the videos on the client via javascript and upload it to my server.
> you can not block visitors to your site from major commercial VPN providers.
You can if you can figure out their IP ranges. Some websites already do it and it is something I am looking into.
Another thing worth doing is blocking TOR by getting the exit node ip address list. Blocking TOR has saved me a lot of grief from bad actors.
> The times where malicious software was served from a sketchy .ru domain or a naked IP address located at some bullet-proof hosting provider are long gone. The threat actors use the same infra as everyone else - GCP, AWS, Azure, Cloudflare, etc.
I guess that's a consequence of law enforcement being completely unable or unwilling to actually tackle online crime (as long as it's not inconveniencing a large corporation in very specific domains such as copyright).
Why bother with bulletproof/etc hosts or sketchy domain registrars when you can use a mainstream one and get away with it?
The potential downside in my eyes is that regulators won't want to wait for the underlying issues to be solved and will instead opt for more aggressive identification. The worst case scenario is if the whole internet became like Facebook, requiring an account that's inextricably linked to your real identity just to view anything.
This is a great summation of why KYC is coming to cloud hosting.