August 2, 2024 at 06:48AM
Proofpoint reports that threat actors have been misusing Cloudflare Tunnels for six months to distribute various remote access trojan (RAT) families. The attackers used the TryCloudflare feature since February 2024 to create one-time tunnels and deliver malware payloads through phishing messages. The attacks have impacted organizations globally, with the threat actors using different languages in their lures. The use of Cloudflare tunnels allows the threat actors to use temporary infrastructure, making it difficult for defenders to block them. This technique has been gaining popularity among multiple adversaries since 2023.
Here are the key takeaways from the meeting notes:
– Threat actors have been exploiting Cloudflare Tunnels for the distribution of various remote access trojan (RAT) families since February 2024.
– The attackers have been abusing the TryCloudflare feature to create one-time tunnels without an account and use them for distributing malware such as AsyncRAT, GuLoader, Remcos, VenomRAT, and Xworm.
– Cloudflare tunnels provide a way for threat actors to remotely access external resources similar to VPNs.
– Phishing messages containing URLs or attachments leading to URLs are used to establish tunnel connections to an external share, initiating a multi-stage infection chain leading to malware installation.
– Multiple language lures, including English, French, German, and Spanish, are used in the attacks, focusing on business-related topics.
– The use of Cloudflare tunnels allows the threat actors to use temporary infrastructure to scale operations, making it harder for defenders to rely on traditional security measures.
Let me know if you need further summarization or if you have any other questions.