Threat actors have been exploiting the open source tool Cloudflared to establish persistent access to compromised systems and steal information covertly, according to cybersecurity firm GuidePoint Security. Cloudflared, a command-line client for Cloudflare Tunnel, enables proxying traffic between Cloudflare and the user’s origin. Attackers can use it to create outbound connections over HTTPS, providing direct access to services like SSH, RDP, and SMB, all while remaining undetected. The attacker needs access to the target system to execute Cloudflared, and once the connection is established, they can make real-time changes to the configuration. Cloudflared’s lack of stored logs poses a challenge to detection, though specific queries can be used to identify unauthorized use.
Read more: https://www.securityweek.com/threat-actors-abuse-cloudflare-tunnel-for-persistent-access-data-theft/