August 2, 2024 at 03:24AM
Cybersecurity experts have noted a rise in the misuse of Clouflare’s TryCloudflare free service for distributing malware. Attackers are using it to create temporary tunnels to relay traffic from server to local machine. The campaign, targeting organizations globally, uses phishing emails to deliver various malware, with a focus on financial gain. The tactic allows attackers to evade detection effectively.
From the meeting notes, it’s clear that cybersecurity companies have observed an increase in the malicious abuse of Cloudflare’s TryCloudflare free service for delivering malware. The attackers utilize the service to create temporary tunnels, allowing them to relay traffic from an attacker-controlled server to a local machine through Cloudflare’s infrastructure.
The attack chains using this technique have been observed delivering various malware families, including AsyncRAT, GuLoader, PureLogs Stealer, Remcos RAT, Venom RAT, and XWorm. The initial access vector is a phishing email containing a ZIP archive that includes a URL shortcut file, leading to a Windows shortcut file hosted on a TryCloudflare-proxied WebDAV server. Subsequently, next-stage batch scripts are executed, leading to the retrieval and execution of additional Python payloads.
It’s noted that the phishing lures are written in English, French, Spanish, and German, with email volumes ranging from hundreds to tens of thousands of messages targeting organizations worldwide. The themes used cover a broad range of topics such as invoices, document requests, package deliveries, and taxes.
The campaign, although attributed to one cluster of related activity, has not been linked to a specific threat actor or group, but it’s assessed to be financially motivated. Furthermore, the exploitation of TryCloudflare for malicious purposes was first recorded last year in a campaign dubbed LABRAT, which utilized a critical flaw in GitLab to infiltrate targets and obscure command-and-control servers using Cloudflare tunnels.
The use of WebDAV and Server Message Block (SMB) for payload staging and delivery highlights the need for enterprises to restrict access to external file-sharing services to only known, allow-listed servers. Additionally, the use of Cloudflare tunnels provides threat actors with a method to scale their operations using temporary infrastructure, making it harder for defenders to rely on static blocklists to detect and take down instances.
The Spamhaus Project has called on Cloudflare to review its anti-abuse policies following the exploitation of its services by cybercriminals to mask malicious actions. This includes the movement of already listed domains to Cloudflare to disguise the backend of their operation.
Overall, the meeting notes highlight the evolving tactics of cybercriminals in exploiting Cloudflare’s services and the need for enhanced security measures to mitigate such threats.