Why is Cloudflare Tunnel being abused?: The appeal of hosting attack infrastructure on Cloudflare Tunnel is that it is incredibly hard to detect or defend against.First, the tunnel is encrypted using HTTPS which means the only way to see what’s inside it is by using some form of TLS inspection. However, this would need to be configured in advance, completely impractical for an ephemeral connection.That’s the whole point of tunnelling, you punch through everything, including firewalls and other network-level security layers.Second, as a large global Content Delivery Network (CDN), Cloudflare is a trusted domain. That means anything abusing it won’t be blocked using a traditional ‘bad IP’ static block list. Blocking Cloudflare or trycloudflare[.]com is impractical as it would also stop legitimate use.
There are limits to blocking attacks: In truth, there is no simple way to stop this kind of piggybacking sneak technique.In theory, one could block the Tunnel subdomain being abused, which sounds appealing but has a major gotcha: these domains are designed to be ephemeral, and attackers can simply configure and cycle through large numbers of them.The last option is to get Cloudflare itself to block the abuse. That might be successful as long as the company conducts deeper forensic examinations of the connections used to set up malicious domains. By the time this is done, though, the suspect domains will likely have vanished.In summary: “The abuse of Cloudflare Tunnel infrastructure further complicates network visibility by giving the actor a disposable and encrypted transport layer for staging malicious files without maintaining traditional infrastructure,” concluded Securonix’s Peck.
What to do: Securonix’s recommendations start with the most basic advice to block attachments and treat any external link as suspicious. That’s easier said than done, of course, although the rise of collaboration systems such as Teams gives employees an alternative way of sharing files that doesn’t involve sending and receiving emails.Beyond that, it’s a case of turning on more detailed endpoint logging, monitoring software tools when they’re executed from unusual locations and enabling Windows file extension visibility, said Securonix.
First seen on csoonline.com
Jump to article: www.csoonline.com/article/4009636/phishing-campaign-abuses-cloudflare-tunnels-to-sneak-malware-past-firewalls.html
