Cloudflare’s free tunnels plagued by RATs and other malware, researchers warn


Cybercriminals have found a no-cost professional infrastructure to perform their attacks and deliver malware. It’s Cloudflare’s free tier tunnel service, which is supposed to protect legitimate web services.

Cybersecurity company Proofpoint has observed malicious actors increasingly delivering remote access trojans (RATs) via TryCloudflare Tunnel abuse. Tunnels are a way to remotely access data and resources on a remote server, similar to a VPN. TryCloudflare offers to create them with a single command without an account.

The volume of messages in a single malicious campaign ranges from hundreds to tens of thousands, and cybercriminals impact thousands of organizations globally.

ADVERTISEMENT

In July alone, cybercrooks launched at least 26 campaigns, observed by Proofpoint, delivering trojans like XWorm or AsyncRat.

“The activity abuses the TryCloudflare feature that allows an attacker to create a one-time tunnel without creating an account,” the report reads.

“The threat activity set behind the campaigns has modified tactics, techniques, and procedures in attempts to bypass detection and improve efficacy.”

A cluster of criminal activity appears to sprout from a single financially motivated threat actor. However, Proofpoint hasn’t attributed it to any tracked malicious group.

Here’s how it works: In most campaigns, victims receive messages with links or attachments that lead to an internet shortcut (URL) file. Some messages were tax-themed, targeting law, finance, manufacturing, and technology organizations, others included other business-relevant topics, such as invoices, document requests, or package deliveries.

Cybercriminals used English, French, Spanish, and German language lures.

The user, if they click the link or open the attachment, is then redirected to a remote LNK file, usually hosted on TryCloudflare. LNK is a shortcut file that usually points to other files or programs. Threat actors use them to execute CMD or BAT scripts, which then deliver the malicious payload.

In other cases, instead of LNK, hackers used VBS executables which deliver similar outcomes.

ADVERTISEMENT

“The attack chain requires significant victim interaction in order to detonate the final payload, including clicking on the malicious link, double clicking on multiple files such as the LNK or VBS files, and unzipping compressed scripts. This gives the recipient multiple opportunities to identify suspicious activity and disrupt the attack chain before successful execution,” researchers explain.

scheme-cloudflare
Image by Proofpoint.

“Cloudflare tunnels provide the threat actors a way to use temporary infrastructure to scale their operations providing flexibility to build and take down instances in a timely manner. This makes it harder for defenders and traditional security measures such as relying on static blocklists,” the report reads.

In 2023, attackers started using temporary Cloudflare instances as a low-cost method to stage attacks with helper scripts, with limited exposure for detection and takedown efforts. Each use of TryCloudflare Tunnels generates a random subdomain, for example, ride-fatal-italic-information[.]trycloudflare[.]com. Traffic to the subdomains is proxied through Cloudflare to the operators’ local server.

Threat clusters activity increased in May through July. Hackers modify their attack chain to increase sophistication and evade detection. Proofpoint recommend firms to restrict access to external file sharing services to only known, safelisted servers.

Cloudflare's abuse management and prevention policies were questioned recently by the non-profit organization Spamhaus Project. The watchdog said that cybercriminals exploit Cloudflare services and the abuse reports remain unresolved.