Cloudflare tunnels used to steal data from victim systems: here's how

I Tunnel Cloudflare they are a feature that allows a secure and private connection to be established between a user’s server and the Cloudflare network. It is a useful technology to protect servers and resources within a private network from cyber attacks and to make traffic safer and faster. In another article we saw how to overcome the firewall with Cloudflare Tunnels also allowing the exposure of any service, even not based on HTTP/HTTPS.

Attackers around the world are increasingly using Cloudflare Tunnels to create HTTPS connections from compromised devicescircumvent firewalls, and maintain their presence on the same devices long-term.

This is a technique that is not entirely new: as early as January 2023, attackers had started using malicious PyPI packages that used Cloudflare tunnels to stealthily steal data or remotely access other people’s devices. The same expedient is now being used by an increasingly large number of criminals.

How Attackers Abuse Cloudflare Tunnels

Cloudflare Tunnels are mainly used for secure and expedite traffic between users’ systems and the Cloudflare network, improving the security and efficiency of Internet communications.

To use Cloudflare Tunnels, you need install a client on the server or device you want to connect to the Cloudflare network. The client establishes a secure connection with Cloudflare servers using an encrypted tunnel to send and receive data.

Traffic is routed through i PoP (Point-of-Presence) of Cloudflare around the world: being physically located close to users’ servers, it is thus possible to maximize performance and reduce latency.

The report prepared by GuidePoint Security explains that an increasing number of cyber attackers are abusing Cloudflare tunnels to acquire a stealthy and persistent access to the victim’s network, evade detection by security solutions and then steal personal data and confidential information from the compromised devices.

A single command executed on the victim’s system, exposing nothing but the unique token of the Cloudflare tunnel established by the attacker, is enough to set up the communication channel. The attacker can also change the configuration of a tunnel at any time, disabling and enabling it as needed.

The cloud being used for nefarious purposes

As the GuidePoint researchers point out, the tunnel updates as soon as the attacker applies a configuration change in the Cloudflare web dashboard. In this way, an attacker can for example activate Remote Desktop (RDP protocol), collect information from the victim’s machine, then disable RDP until a later date. By doing so, the attacker can actually reduce the chances of detection and make the victim unaware of what is happening.

Since HTTPS connection and data exchange is via QUIC protocol on port 7844, firewalls or other network security solutions are unlikely to flag the activity as potentially harmful.

The attacker can even take advantage of the “Try Cloudflare” feature that allows users to create tunnels only one without even having an account.

The function “Private networks” by Cloudflare allows an attacker who has established a tunnel to a single victim client device remote access to an entire range of internal IP addresses.

To detect unauthorized use of Cloudflare tunnels, GuidePoint recommends that organizations monitor query DNS specifics (shared in the GuidePoint report) and any use of non-standard ports such as 7844. Additionally, it is possible to detect the installation of clients “cloudflared” on corporate systems using hashing mechanisms or security solutions working centrally.

The hash of Cloudflare clients that allow you to establish remote connections are known and continuously updated with the release of new versions. As we have seen in the article mentioned at the beginning, moreover, using WebSocket connections e proxy SOCKS5 any kind of service can be exposed on the net.


Please enter your comment!
Please enter your name here