Connect with us

Hi, what are you looking for?


Malware & Threats

Threat Actors Abuse Cloudflare Tunnel for Persistent Access, Data Theft

Threat actors have been observed abusing the open source Cloudflare Tunnel tool Cloudflared to maintain stealthy, persistent access to compromised systems.

Threat actors have been observed abusing an open source tool named Cloudflared to maintain persistent access to compromised systems and to steal information without being detected, cybersecurity firm GuidePoint Security reports.

Cloudflared is a command-line client for Cloudflare Tunnel, a tunneling daemon for proxying traffic between the Cloudflare network and the user’s origin. The tool creates an outbound connection over HTTPS, with the connection’s settings manageable via the Cloudflare Zero Trust dashboard.

Through Cloudflared, services such as SSH, RDP, SMB, and others are directly accessible from outside, without having to modify firewall rules.

For threat actors, this represents a great opportunity to maintain access to a victim’s environment without exposing themselves. However, the attacker does need access to the target system to execute Cloudflared and establish the connection.

“Since the Cloudflared execution only requires the token associated with the tunnel they’ve created, the [attacker] can initiate these commands without exposing any of their configurations on the victim machine prior to a successful tunnel connection,” GuidePoint explains.

Once the tunnel has been established, Cloudflared keeps the configuration in the running process, which allows the attacker to make changes on the fly once the connection has been established. All the attacker needs is for RDP and SMB to be enabled on the victim machine.

“From the victim machine perspective, the configurations are pulled at the initiation of the connection, and whenever there’s a change made to the Cloudflare Tunnel config. The tunnel updates as soon as the configuration change is made in the Cloudflare Dashboard,” GuidePoint notes.

Advertisement. Scroll to continue reading.

This allows attackers to enable the required functionality only when they want to perform operations on the victim machine, then disable it to prevent detection.

Given that Cloudflared is a legitimate tool supported on major operating systems and that it establishes outbound connections to the Cloudflare infrastructure, most network defenses will allow the traffic.

It also allows attackers to maintain access to the victim network without exposing their infrastructure, except for the token assigned to their tunnel.

To successfully use Cloudflared, the attacker needs to create a tunnel to generate the required token, needs access to the victim system to run the tool, and needs “to connect to the Cloudflared tunnel as a client to access the victim machine”, GuidePoint explains.

The cybersecurity firm also points out that attackers could use a tunnel configuration feature called Private Networks to gain access to the local network as if they were “physically collocated with the victim machine hosting the tunnel”, and interact with any device on the network.

The main issue with the malicious use of Cloudflared, GuidePoint says, is that the tool does not store logs and the activity can only be viewed in real-time, if an administrator has access to the process in a command prompt or terminal.

If the command used to establish a tunnel has been observed, security teams could re-run it to identify existing Public Hostname configurations, but this temporarily exposes the host running the command to the attackers, who may take steps to protect themselves.

However, because Cloudflared does make specific queries, network defenders may look for those to identify the unexpected or unauthorized use of this tool.

“Organizations using Cloudflare services legitimately could potentially limit their services to specific data centers and generate detections for traffic like Cloudflared tunnels that route to anywhere except their specified data centers. This method might aid in the detection of unauthorized tunnels,” GuidePoint notes.

Related: This New Era of Security Requires Secure Networking, Vendor Consolidation, and Focus on OT

Related: Attackers Abuse Kubernetes RBAC to Deploy Persistent Backdoor

Related: Hackers Can Abuse Legitimate Features to Hijack Industrial Controllers

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join security experts as they discuss ZTNA’s untapped potential to both reduce cyber risk and empower the business.


Join Microsoft and Finite State for a webinar that will introduce a new strategy for securing the software supply chain.


Expert Insights

Related Content


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...


No one combatting cybercrime knows everything, but everyone in the battle has some intelligence to contribute to the larger knowledge base.

Malware & Threats

Threat actors are increasingly abusing Microsoft OneNote documents to deliver malware in both targeted and spray-and-pray campaigns.

Malware & Threats

Unpatched and unprotected VMware ESXi servers worldwide have been targeted in a ransomware attack exploiting a vulnerability patched in 2021.

Application Security

Virtualization technology giant VMware on Tuesday shipped urgent updates to fix a trio of security problems in multiple software products, including a virtual machine...


The recent ransomware attack targeting Rackspace was conducted by a cybercrime group named Play using a new exploitation method, the cloud company revealed this...

Malware & Threats

A vulnerability affecting IBM’s Aspera Faspex file transfer solution, tracked as CVE-2022-47986, has been exploited in attacks.