Open source Cloudflare Tunnel tool exploited in attacks

SecurityWeek reports that attacks leveraging the open source Cloudflare Tunnel tool "Cloudflared" in an effort to facilitate persistent systems access and stealthy information theft have been underway. With Cloudflared enabling direct access to SSH, SMB, and RDP without firewall rule modification requirements, threat actors could keep systems access undetected, according to a GuidePoint report. "Since the Cloudflared execution only requires the token associated with the tunnel they've created, the [attacker] can initiate these commands without exposing any of their configurations on the victim machine prior to a successful tunnel connection," said GuidePoint, which noted that successful Cloudflared use requires the creation of a token-generating tunnel, victim system access, and client connection to the Cloudflared tunnel. Threat actors could also leverage the Private Networks tunnel configuration feature to enable local network access. However, malicious tool use could also be identified through Cloudflared. "Organizations using Cloudflare services legitimately could potentially limit their services to specific data centers and generate detections for traffic like Cloudflared tunnels that route to anywhere except their specified data centers. This method might aid in the detection of unauthorized tunnels," GuidePoint added.