Cloudflare Tunnels exploited to deliver Malware & avoid Detection>
The Hacker News – Ravie Lakshmanan
Cybersecurity companies eSentire and Proofpoint have reported an increase in the abuse of Cloudflare’s TryCloudflare free service for malware delivery
Attackers are using TryCloudflare to create rate-limited tunnels that relay traffic from their servers to local machines through Cloudflare’s infrastructure
The attack chains involve phishing emails containing ZIP archives with URL shortcut files leading to a Windows shortcut file hosted on a TryCloudflare-proxied WebDAV server
The shortcut file executes next-stage batch scripts that retrieve and execute additional Python payloads while displaying a decoy PDF document to maintain the ruse
The scripts use direct syscalls to bypass security monitoring tools and employ Early Bird APC queue injection to stealthily execute code and evade detection
The phishing lures are written in English, French, Spanish, and German, targeting organizations worldwide
While the campaign is attributed to one cluster of related activity, it has not been linked to a specific threat actor or group
However, it is believed to be financially motivated
The exploitation of TryCloudflare for malicious purposes was first recorded in 2022 during the LABRAT campaign, which weaponized a critical flaw in GitLab to infiltrate targets and obscure C2 servers using Cloudflare tunnels
The use of WebDAV and SMB for payload staging and delivery requires enterprises to restrict access to external file-sharing services to only known, allow-listed servers
Cloudflare tunnels provide threat actors with temporary infrastructure to scale their operations and make it harder for defenders to rely on static blocklists
The Spamhaus Project has called on Cloudflare to review its anti-abuse policies, as cybercriminals exploit its services to mask malicious actions and enhance their operational security through “living-off-trusted-services” (LoTS).
Link: https://thehackernews.com/2024/08/cybercriminals-abusing-cloudflare.html