Cybersecurity researchers at Proofpoint have uncovered a disturbing trend: cybercriminals are increasingly exploiting Cloudflare Tunnel functionality to distribute malware, particularly Remote Access Trojans (RATs). This development has raised concerns in the cybersecurity community and sparked criticism from Spamhaus regarding Cloudflare’s response to the issue.
The Rise of Cloudflare Tunnel Abuse
First observed in February 2023, threat actors have been leveraging the free TryCloudflare service to spread various RATs, including AsyncRAT, GuLoader, VenomRAT, Remcos RAT, and Xworm. Cloudflare Tunnel, a popular feature that allows users to proxy traffic through an encrypted tunnel for accessing local services and servers on the internet without exposing IP addresses, has become an attractive tool for malicious actors.
How TryCloudflare is Being Exploited
TryCloudflare enables users to create temporary tunnels to local servers without requiring a Cloudflare account. Each tunnel generates a temporary random subdomain on trycloudflare.com, which is then used to route traffic through Cloudflare’s network to the local server. Cybercriminals are taking advantage of this functionality to gain remote access to compromised systems while evading detection.
Proofpoint’s Findings: A Sophisticated Attack Chain
Proofpoint researchers have identified malware campaigns targeting legal, financial, manufacturing, and technology organizations. The attacks utilize malicious .LNK files hosted on legitimate TryCloudflare domains. The attack chain typically begins with phishing emails containing URLs or attachments leading to the .LNK payload. When executed, this payload triggers a BAT or CMD script that deploys PowerShell, followed by Python installers for the final malware payload.
Scale and Impact of the Attacks
A recent malicious email campaign, starting on July 11, 2023, distributed over 1,500 malicious emails, significantly more than an earlier wave on May 28, which involved fewer than 50 messages. This escalation highlights the growing adoption of this attack method among cybercriminals.
Advantages for Attackers and Cloudflare’s Response
Hosting malicious files on Cloudflare’s infrastructure provides attackers with several benefits, including the ability to disguise traffic as legitimate due to Cloudflare’s reputation. The TryCloudflare feature offers anonymity, and the temporary nature of the subdomains makes blocking efforts largely ineffective. Additionally, the service is free and reliable, eliminating the need for attackers to invest in their own infrastructure.
In response to these findings, Cloudflare has stated that they promptly disable and remove any malicious tunnels upon detection. The company has implemented machine learning techniques to better contain potential malicious activity and encourages security providers to report suspicious URLs for swift action.
Criticism from Spamhaus and Industry Implications
Spamhaus, a non-profit organization, has criticized Cloudflare for allegedly turning a blind eye to cybercriminal resources within its infrastructure. They claim that approximately 10% of resources on the Spamhaus blacklist successfully use Cloudflare services for protection, with over 1,200 unresolved complaints.
This situation highlights the ongoing challenge of balancing service provision with security responsibilities in the cybersecurity industry. As threat actors continue to exploit legitimate services, companies like Cloudflare face increasing pressure to enhance their abuse detection and prevention mechanisms while maintaining the integrity of their services for legitimate users.
As the cybersecurity landscape evolves, it is crucial for both service providers and users to remain vigilant and adaptive. Organizations should implement robust security measures, including advanced threat detection systems and employee training programs, to mitigate the risks posed by these sophisticated attack methods. Collaboration between cybersecurity firms, service providers, and law enforcement agencies will be essential in addressing these emerging threats effectively.
