SecurityWeek reports that attacks leveraging the open source Cloudflare Tunnel tool "Cloudflared" in an effort to facilitate persistent systems access and stealthy information theft have been underway.
With Cloudflared enabling direct access to SSH, SMB, and RDP without firewall rule modification requirements, threat actors could keep systems access undetected, according to a GuidePoint report. "Since the Cloudflared execution only requires the token associated with the tunnel they've created, the [attacker] can initiate these commands without exposing any of their configurations on the victim machine prior to a successful tunnel connection," said GuidePoint, which noted that successful Cloudflared use requires the creation of a token-generating tunnel, victim system access, and client connection to the Cloudflared tunnel.
Threat actors could also leverage the Private Networks tunnel configuration feature to enable local network access. However, malicious tool use could also be identified through Cloudflared.
"Organizations using Cloudflare services legitimately could potentially limit their services to specific data centers and generate detections for traffic like Cloudflared tunnels that route to anywhere except their specified data centers. This method might aid in the detection of unauthorized tunnels," GuidePoint added.
Ahead of its imminent approval, the Biden administration's proposed executive order mandating U.S. cloud infrastructure-as-a-service providers to strengthen the verification of their users' identities has received industry opposition due to the increased financial and logistical burdens that would arise from such a rule, according to The Record, a news site by cybersecurity firm Recorded Future.
U.S. independent record label Empire Distribution, which has worked with Kendrick Lamar, Snoop Dogg, and 50 Cent, had its sensitive data exposed as a result of an environment file misconfiguration, Cybernews reports.