Another threat group has started abusing the Cloudflare Tunnel service to get phishing emails into targeted organizations without activating conventional defenses.
Dubbed Serpentine#Cloud by the security vendor Securonix, the identity of the threat group behind the campaign is still unknown, as is the exact target list or the sectors they operate in.
All Securonix can say at this point is that the attackers demonstrated a fluency in English and the targets were located primarily in the US, UK, Germany, and other countries across Europe and Asia.
However, the eye-catching part of Securonix’ analysis is the relative sophistication of the malware payload and the interesting techniques used to deliver it, specifically the use of Cloudflare’s trycloudflare[.]com subdomains, to host attack infrastructure.
Cloudflare Tunnel (formerly Argo Tunnel or Warp Tunnel) has various uses including giving developers a quick way to temporarily connect internal test servers to the Internet without having to expose a local IP address or open a firewall port.
Visitors access a resource using a URL without the need for authentication, which shouldn’t be risky as long as it’s kept private and is only used a brief time.
Unfortunately, attackers have spotted the potential to use the service to host their own attack infrastructure. Several have been spotted using the technique since 2023, including Russian threat group BlueAlpha last December.
Serpentine#Cloud
The attackers hide their phishing payload behind what looks like a PDF file, but is actually a disguised .lnk Windows shortcut file.
Clicking on this causes the local cmd.exe to launch a multi-stage malware payload through multiple layers of obfuscation before fileless Python shellcode is loaded into memory.
“The end result is a RAT [Remote Access Trojan] Payload which gives the attackers full command and control over the host,” wrote Securonix threat researcher, Tim Peck, in the company’s teardown.
Using fileless malware means no files are written to disk, which makes it incredibly hard to detect using EDR. Process injection is used to hide the malware inside Notepad.exe, bypassing in-memory scanning.
Why is Cloudflare Tunnel being abused?
The appeal of hosting attack infrastructure on Cloudflare Tunnel is that it is incredibly hard to detect or defend against.
First, the tunnel is encrypted using HTTPS which means the only way to see what’s inside it is by using some form of TLS inspection. However, this would need to be configured in advance, completely impractical for an ephemeral connection.
That’s the whole point of tunnelling — you punch through everything, including firewalls and other network-level security layers.
Second, as a large global Content Delivery Network (CDN), Cloudflare is a trusted domain. That means anything abusing it won’t be blocked using a traditional ‘bad IP’ static block list. Blocking Cloudflare or trycloudflare[.]com is impractical as it would also stop legitimate use.
There are limits to blocking attacks
In truth, there is no simple way to stop this kind of piggybacking sneak technique.
In theory, one could block the Tunnel subdomain being abused, which sounds appealing but has a major gotcha: these domains are designed to be ephemeral, and attackers can simply configure and cycle through large numbers of them.
The last option is to get Cloudflare itself to block the abuse. That might be successful as long as the company conducts deeper forensic examinations of the connections used to set up malicious domains. By the time this is done, though, the suspect domains will likely have vanished.
In summary: “The abuse of Cloudflare Tunnel infrastructure further complicates network visibility by giving the actor a disposable and encrypted transport layer for staging malicious files without maintaining traditional infrastructure,” concluded Securonix’s Peck.
What to do
Securonix’s recommendations start with the most basic advice to block attachments and treat any external link as suspicious. That’s easier said than done, of course, although the rise of collaboration systems such as Teams gives employees an alternative way of sharing files that doesn’t involve sending and receiving emails.
Beyond that, it’s a case of turning on more detailed endpoint logging, monitoring software tools when they’re executed from unusual locations and enabling Windows file extension visibility, said Securonix.