Cybersecurity companies have observed a rise in malicious activity targeting organizations across various sectors, with attackers exploiting Cloudflare’s TryCloudflare free service to distribute malware.
Description
The attack chains involve creating a rate-limited tunnel through TryCloudflare to relay traffic from attacker-controlled servers to local machines via Cloudflare’s infrastructure. Malware families like AsyncRAT, Remcos RAT [3] [4], XWorm [4], VenomRAT [4], PureLogs Stealer [4], and GuLoader have been distributed using this technique. Phishing emails containing ZIP archives with URL shortcut files leading to Windows shortcut files hosted on a TryCloudflare-proxied WebDAV server are used as the initial access vector [3]. The campaign, financially motivated and not attributed to a specific threat actor [3], was first recorded last year in a cryptojacking and proxyjacking campaign [3]. Recent observations show a surge in malware activity using malicious .LNK files hosted on the legitimate TryCloudflare domain. Cloudflare tunnels provide threat actors with temporary infrastructure to scale their operations and avoid detection [3]. The Spamhaus Project has urged Cloudflare to review its anti-abuse policies due to cybercriminals exploiting its services to conceal malicious actions [1] [3].
Conclusion
The exploitation of TryCloudflare for malicious purposes underscores the importance for enterprises to restrict access to external file-sharing services. Cloudflare has introduced machine learning detections on their tunnel product to contain malicious activity and takes action against customers using their services for malware [2]. The use of WebDAV and SMB for payload staging and delivery highlights the need for enhanced security measures [1] [3]. Threat actors leveraging Cloudflare tunnels to scale operations with temporary infrastructure pose a challenge for defenders [1], emphasizing the importance of continuous monitoring and mitigation strategies. The Spamhaus Project’s call for Cloudflare to review its anti-abuse policies reflects the ongoing battle against cybercriminals exploiting trusted services for malicious activities.
References
[1] https://cyber.vumetric.com/security-news/2024/08/02/cybercriminals-abusing-cloudflare-tunnels-to-evade-detection-and-spread-malware/
[2] https://www.blackhatethicalhacking.com/news/cybercriminals-exploit-cloudflare-tunnel-for-malware-campaigns/
[3] https://thehackernews.com/2024/08/cybercriminals-abusing-cloudflare.html
[4] https://www.443news.com/2024/08/attackers-leverage-cloudflare-tunnels-to-obscure-malware-distribution/