Threat actors have been observed abusing an open source tool named Cloudflared to maintain persistent access to compromised systems and to steal information without being detected, cybersecurity firm GuidePoint Security reports.
Cloudflared is a command-line client for Cloudflare Tunnel, a tunneling daemon for proxying traffic between the Cloudflare network and the user’s origin. The tool creates an outbound connection over HTTPS, with the connection’s settings manageable via the Cloudflare Zero Trust dashboard.
Through Cloudflared, services such as SSH, RDP, SMB, and others are directly accessible from outside, without having to modify firewall rules.
For threat actors, this represents a great opportunity to maintain access to a victim’s environment without exposing themselves. However, the attacker does need access to the target system to execute Cloudflared and establish the connection.
“Since the Cloudflared execution only requires the token associated with the tunnel they’ve created, the [attacker] can initiate these commands without exposing any of their configurations on the victim machine prior to a successful tunnel connection,” GuidePoint explains.
Once the tunnel has been established, Cloudflared keeps the configuration in the running process, which allows the attacker to make changes on the fly once the connection has been established. All the attacker needs is for RDP and SMB to be enabled on the victim machine.
“From the victim machine perspective, the configurations are pulled at the initiation of the connection, and whenever there’s a change made to the Cloudflare Tunnel config. The tunnel updates as soon as the configuration change is made in the Cloudflare Dashboard,” GuidePoint notes.
This allows attackers to enable the required functionality only when they want to perform operations on the victim machine, then disable it to prevent detection.
Given that Cloudflared is a legitimate tool supported on major operating systems and that it establishes outbound connections to the Cloudflare infrastructure, most network defenses will allow the traffic.
It also allows attackers to maintain access to the victim network without exposing their infrastructure, except for the token assigned to their tunnel.
To successfully use Cloudflared, the attacker needs to create a tunnel to generate the required token, needs access to the victim system to run the tool, and needs “to connect to the Cloudflared tunnel as a client to access the victim machine”, GuidePoint explains.
The cybersecurity firm also points out that attackers could use a tunnel configuration feature called Private Networks to gain access to the local network as if they were “physically collocated with the victim machine hosting the tunnel”, and interact with any device on the network.
The main issue with the malicious use of Cloudflared, GuidePoint says, is that the tool does not store logs and the activity can only be viewed in real-time, if an administrator has access to the process in a command prompt or terminal.
If the command used to establish a tunnel has been observed, security teams could re-run it to identify existing Public Hostname configurations, but this temporarily exposes the host running the command to the attackers, who may take steps to protect themselves.
However, because Cloudflared does make specific queries, network defenders may look for those to identify the unexpected or unauthorized use of this tool.
“Organizations using Cloudflare services legitimately could potentially limit their services to specific data centers and generate detections for traffic like Cloudflared tunnels that route to anywhere except their specified data centers. This method might aid in the detection of unauthorized tunnels,” GuidePoint notes.