.webp?w=696&resize=696,0&ssl=1 "Cloudflare Tunnels Exploited")
Security analysts are sounding the alarm as cybercriminals increasingly weaponize Cloudflare tunnels, leveraging the popular cloudflared tool to orchestrate stealthy, persistent attacks on enterprise networks.
Once a go-to utility for secure remote access and frictionless web app deployments, Cloudflared is now at the heart of an alarming new adversary toolkit, favored by ransomware syndicates and advanced persistent threat (APT) actors.
Technical Exploitation of Cloudflared
Cloudflared and Tunneling Basics
At its core, Cloudflared enables secure tunneling, a process that encapsulates data in additional protocols, creating a secure channel between endpoints across untrusted networks.
System administrators have long used such tunnels for remote management, safeguarding internal resources from exposure.
However, this same mechanism allows adversaries to maintain undetected, persistent access within compromised environments.
Abuse Lifecycle: How Attackers Exploit Cloudflared
Attackers typically gain initial access via compromised VPNs, RDP, or phishing. Once inside, they deploy malicious Cloudflared instances often renamed to masquerade as benign system processes (e.g., svchost.exe, LogMeInUpdater.exe).
With tunnels established, adversaries essentially gain local network foothold, facilitating lateral movement and data exfiltration while evading detection.
A breakdown of the attack lifecycle:
- Initial Access: Via phishing, stolen credentials, or vulnerabilities.
- Cloudflared Deployment: Malicious binaries installed, often with inconspicuous names.
- Tunnel Establishment: Attackers use Cloudflared to create encrypted tunnels for covert command, control, and data transfer.
- Persistence & Lateral Movement: The tunnel provides a continuous backdoor, enabling further compromise and extortion.
Token Structure and Exploitation
Every Cloudflared tunnel requires a connection token, typically passed via command-line:
textcloudflared tunnel run --token <cloudflared_token>
The token itself is a Base64-encoded JSON object with three key fields:
json{
"a": "account_id",
"t": "tunnel_id",
"s": "secret"
}
- account_id (
a): Ties the tunnel to a Cloudflare account and rarely rotates, making it a valuable indicator of compromise. - tunnel_id (
t): Unique identifier for the tunnel instance. - secret (
s): Authenticates the tunnel client.
Attackers often reuse account IDs across multiple victims, creating a telltale signature that defenders can track.
Detection Strategies and Defensive Querying
Hunting for Malicious Cloudflared Activity
Security teams are leveraging advanced log analysis and threat hunting techniques to root out rogue Cloudflared tunnels. One powerful approach is decoding tokens found in process command lines and tracking suspicious or anomalous account IDs.
Example ES|QL Query for Threat Detection
To extract, decode, and hunt for malicious tokens, analysts can use queries like:
sqlFROM logs
| WHERE process.command_line LIKE "*tunnel run*" AND process.command_line LIKE "*--token*"
| DISSECT process.command_line "%{cfPath} --token %{cf.token.array}"
| EVAL FROM_BASE64(cf.token.array)
| RENAME `FROM_BASE64(cf.token.array)` AS cf.token.array
| DISSECT cf.token.array "{\"a\":\"%{cf.token.a}\",\"t\":\"%{cf.token.t}\",\"s\":\"%{cf.token.s}\"}"
| KEEP @timestamp, host.name, account.name, cf.token.a, cf.token.t, cf.token.s
This yields crucial fields, including token details and associated host information. By aggregating on cf.token.a, defenders can surface reused account IDs possibly linked to ransomware operators like BlackSuit, Akira, or Medusa.
Detecting Shared Account IDs Across Organizations
Another tactic involves correlating account IDs seen across disparate environments. If a single account_id appears in multiple unrelated organizations, it may indicate adversarial activity:
sqlFROM logs
| WHERE process.command_line LIKE "*tunnel run*" AND process.command_line LIKE "*--token*"
| DISSECT process.command_line "%{cfPath} --token %{cf.token.array}"
| EVAL FROM_BASE64(cf.token.array)
| RENAME `FROM_BASE64(cf.token.array)` AS cf.token.array
| DISSECT cf.token.array "{\"a\":\"%{cf.token.a}\",\"t\":\"%{cf.token.t}\",\"s\":\"%{cf.token.s}\"}"
| STATS unique_accounts = count_distinct(account.name) BY cf.token.a
| WHERE unique_accounts > 1
| SORT unique_accounts DESC
Balancing Vigilance with Context
While these detection methodologies are robust, analysts caution against false positives. Legitimate managed service providers often deploy Cloudflared across multiple clients, and some software vendors bundle it by design.
True indicators of compromise should be corroborated with additional context—unusual naming, unexplained tunnels, and incident correlation.
Cloudflared, once a symbol of secure engineering, now sits at the crossroads of convenience and compromise.
As attackers get more sophisticated, defenders must leverage deep telemetry, token analysis, and context-driven hunting to stay ahead. The war for the tunnel is on—and vigilance is key.
.webp?resize=1600,900&ssl=1&description=Cloudflare Tunnels Exploited - Security analysts are sounding the alarm as cybercriminals increasingly weaponize Cloudflare tunnels.){kind=link}