Search This Blog

Powered by Blogger.

Blog Archive

Labels

Showing posts with label CloudFlare. Show all posts

Abuse of Cloudflare Tunnel Service for Malware Campaigns Delivering RATs

 

Researchers have raised alarms over cybercriminals increasingly exploiting the Cloudflare Tunnel service in malware campaigns that predominantly distribute remote access trojans (RATs). This malicious activity, first detected in February, utilizes the TryCloudflare free service to disseminate multiple RATs, including AsyncRAT, GuLoader, VenomRAT, Remcos RAT, and Xworm. Cloudflare Tunnel service allows users to proxy traffic through an encrypted tunnel to access local services and servers over the internet without exposing IP addresses. 

This service is designed to offer added security and convenience by eliminating the need to open public inbound ports or set up VPN connections. With TryCloudflare, users can create temporary tunnels to local servers and test the service without requiring a Cloudflare account. However, threat actors have abused this feature to gain remote access to compromised systems while evading detection. A recent report from cybersecurity company Proofpoint observed that malware campaigns are targeting organizations in the law, finance, manufacturing, and technology sectors with malicious .LNK files hosted on the legitimate TryCloudflare domain. The attackers lure targets with tax-themed emails containing URLs or attachments leading to the LNK payload. 

Once launched, the payload runs BAT or CMD scripts that deploy PowerShell, culminating in the download of Python installers for the final payload. Proofpoint reported that an email distribution wave starting on July 11 sent out over 1,500 malicious messages, a significant increase from an earlier wave on May 28, which contained fewer than 50 messages. Hosting LNK files on Cloudflare offers several advantages to cybercriminals, including making the traffic appear legitimate due to Cloudflare’s reputation. 

Additionally, the TryCloudflare Tunnel feature provides anonymity, and the temporary nature of the subdomains makes it challenging for defenders to block them effectively. The use of Cloudflare’s service is not only free and reliable but also allows cybercriminals to avoid the costs associated with setting up their own infrastructure. 

By employing automation to evade blocks from Cloudflare, these criminals can use the tunnels for large-scale operations. A Cloudflare representative stated that the company immediately disables and takes down malicious tunnels as they are discovered or reported by third parties. Cloudflare has also implemented machine learning detections to better contain malicious activity and encourages security vendors to submit suspicious URLs for prompt action. 

In light of this increasing threat, it is crucial for organizations to remain vigilant and enhance their cybersecurity measures to defend against these sophisticated malware campaigns.

Breaking Down the Clock PoC Exploits Utilized by Hackers Within 22 Minutes

 


It has been shown that threat actors are swift in weaponizing available proof-of-concept (PoC) exploits in real attacks, often within 22 minutes of publicly releasing these exploits. In that regard, Cloudflare has published its annual Application Security report for 2024, which covers the period between May 2023 and March 2024 and identifies emerging threat trends. It has been observed that Cloudflare, which currently processes an average of 57 million requests per second of HTTP traffic, continues to experience an increase in scanning for CVEs, followed by command injection attacks and attempts to weaponize available proofs-of-concept. 

Attackers may exploit a new vulnerability in as little as 22 minutes after the release of a proof-of-concept (PoC), depending on the vulnerability. It has been found that between May 2023 and May 2024, Cloudflare will receive 37,000 threats, which is the most significant number since May 2023. According to Cloudflare's Application Security Report for 2024, hackers are becoming more sophisticated in their search for previously unknown software vulnerabilities, also known as CVEs. They take immediate action when they find them, identifying how to exploit them and attempting to inject commands into them to execute attacks as soon as possible. 

Several CVE vulnerabilities have recently been revealed as vulnerabilities, but hackers have already been able to exploit them within 22 minutes of their disclosure. It was reported in the open-source community that CVE-2024-27198, a vulnerability in JetBrains TeamCity, was exploited by hackers. As a result of the evaluated period, the most targeted vulnerabilities were CVE-2023-50164 and CVE-2022-33891 within Apache software, CVE-2023-29298, CVE-2023-38203, and CVE-2023-26360 within Coldfusion software, and CVE-2023-35082 within Mobile Iron software. CVE-2024-27198 is a characteristic example of how weaponization is developing at an extremely fast rate since it is a vulnerability in JetBrains TeamCity that allows authentication bypass. 

During a recent incident, Cloudflare picked up on the fact that an attacker deployed a PoC-based exploit 22 minutes after it had been published, giving defenders very little time to remediate the attack. There can only be one way of combating this speed, according to the internet firm, and that is through the use of artificial intelligence (AI) to rapidly come up with effective detection rules. As DDoS attacks continue to dominate the security threat landscape, targeted CVE exploits are becoming a greater concern as well in the coming years.

Over a third of all traffic is automated today, and there is a possibility that up to 93% of it is malicious. Approximately 60% of all web traffic now comes from APIs, but only a quarter of companies know which API endpoints they have. Moreover, enterprise websites typically have 47 third-party integrations that are part of their platform. Cloudflare has also been able to gather some valuable information from the study, which is that in the case of API security, companies are still relying on outdated, traditional methods of providing API security. 

In the case of traditional web application firewall (WAF) rules, a negative security model is typically used in the design of those rules. It is assumed that the vast majority of web traffic will be benign in this scenario. Several companies utilize a positive API security model, where strictly defined rules dictate the web traffic that is allowed, while all other access is denied. Cloudflare's network currently processes 57 million HTTP requests per second, reflecting a 23.9% year-over-year increase. The company blocks 209 billion cyber threats daily, which is an 86.6% increase compared to the previous year. These statistics underscore the rapid evolution of the threat landscape. 

According to Cloudflare's report covering Q2 2023 to Q1 2024, there has been a noticeable rise in application layer traffic mitigation, growing from 6% to 6.8%, with peaks reaching up to 12% during significant attacks. The primary contributors to this mitigation are Web Application Firewalls (WAF) and bot mitigations, followed by HTTP DDoS rules. There is an increasing trend in zero-day exploits and Common Vulnerabilities and Exposures (CVE) exploitation, with some exploits being utilized within minutes of their disclosure. 

Distributed Denial of Service (DDoS) attacks remain the most prevalent threat, accounting for 37.1% of mitigated traffic. In the first quarter of 2024 alone, Cloudflare mitigated 4.5 million unique DDoS attacks, marking a 32% increase from 2023. The motivations behind these attacks range from financial gains to political statements.

Phishing Campaigns Exploit Cloudflare Workers to Harvest User Credentials

 

Cybersecurity researchers are raising alarms about phishing campaigns that exploit Cloudflare Workers to serve phishing sites designed to harvest user credentials associated with Microsoft, Gmail, Yahoo!, and cPanel Webmail. This attack method, known as transparent phishing or adversary-in-the-middle (AitM) phishing, employs Cloudflare Workers to act as a reverse proxy for legitimate login pages, intercepting traffic between the victim and the login page to capture credentials, cookies, and tokens, according to Netskope researcher Jan Michael Alcantara. 

Over the past 30 days, the majority of these phishing campaigns have targeted victims in Asia, North America, and Southern Europe, particularly in the technology, financial services, and banking sectors. The cybersecurity firm noted an increase in traffic to Cloudflare Workers-hosted phishing pages starting in Q2 2023, with a spike in the number of distinct domains from just over 1,000 in Q4 2023 to nearly 1,300 in Q1 2024. The phishing campaigns utilize a technique called HTML smuggling, which uses malicious JavaScript to assemble the malicious payload on the client side, evading security protections. 

Unlike traditional methods, the malicious payload in this case is a phishing page reconstructed and displayed to the user on a web browser. These phishing pages prompt victims to sign in with Microsoft Outlook or Office 365 (now Microsoft 365) to view a purported PDF document. If users follow through, fake sign-in pages hosted on Cloudflare Workers are used to harvest their credentials and multi-factor authentication (MFA) codes. "The entire phishing page is created using a modified version of an open-source Cloudflare AitM toolkit," Alcantara said. 

Once victims enter their credentials, the attackers collect tokens and cookies from the responses, gaining visibility into any additional activity performed by the victim post-login. HTML smuggling is increasingly favored by threat actors for its ability to bypass modern defenses, serving fraudulent HTML pages and other malware without raising red flags. One highlighted instance by Huntress Labs involved a fake HTML file injecting an iframe of the legitimate Microsoft authentication portal retrieved from an actor-controlled domain. This method enables MFA-bypass AitM transparent proxy phishing attacks using HTML smuggling payloads with injected iframes instead of simple links. 

Recent phishing campaigns have also used invoice-themed emails with HTML attachments masquerading as PDF viewer login pages to steal email account credentials before redirecting users to URLs hosting "proof of payment." These tactics leverage phishing-as-a-service (PhaaS) toolkits like Greatness to steal Microsoft 365 login credentials and bypass MFA using the AitM technique. The financial services, manufacturing, energy/utilities, retail, and consulting sectors in the U.S., Canada, Germany, South Korea, and Norway have been top targets. 

Threat actors are also employing generative artificial intelligence (GenAI) to craft effective phishing emails and using file inflation methods to evade analysis by delivering large malware payloads. Cybersecurity experts underscore the need for robust security measures and oversight mechanisms to combat these sophisticated phishing campaigns, which continually evolve to outsmart traditional detection systems.

DDOS attack brings the Internet to its knees

The fight between a spam fighting company called "Spamhaus" and a web hosting company called "Cyberbunker" has slowed down a majority of the internet by making DNS resolving slow.



The reason behind the attack is that Spamhaus added the IP addresses of cyberbunker to its "spam" list due to Cyberbunker allowing almost any sort of content to be hosted hence also maybe the source for spam. So Cyberbunker attacked back and this attack also affected normal internet users.

The attack was possible because of the large number of vulnerable DNS servers that allow open DNS resolving.Simply put an attack exploiting this type of vulnerability makes use of the vulnerability of the DNS server to increase the intensity of the attack 100 fold.

The origins of these type of attacks goes back to the 1990's to an attack called "smurf attack"

But now the attack method has become more efficient and uses DNS amplification to flood the victim with spoofed requests which are sent to the DNS servers by using a botnet of compromised computers.The attack at its peak reached a speed of 300 Gbps making it the largest DDOS attack in history.

Cyberbunker which claims itself to be a supporter of free speech and defender against the "big bullies" seems to have now have stooped down to their level of using aggressive offensive methods that affect the normal functioning of the internet.This is not the way to go !

The people who run DNS resolvers are also equally responsible for these attacks as its their vulnerable servers that make these attacks possible, the internet community should come up with a PERMANENT solution to this problem.

Please read cloudflare's blog post for a detailed analysis : http://blog.cloudflare.com/the-ddos-that-almost-broke-the-internet