{"id":3617,"date":"2025-06-19T16:40:45","date_gmt":"2025-06-19T16:40:45","guid":{"rendered":"https:\/\/cybersecurityinfocus.com\/?p=3617"},"modified":"2025-06-19T16:40:45","modified_gmt":"2025-06-19T16:40:45","slug":"phishing-campaign-abuses-cloudflare-tunnels-to-sneak-malware-past-firewalls","status":"publish","type":"post","link":"https:\/\/cybersecurityinfocus.com\/?p=3617","title":{"rendered":"Phishing campaign abuses Cloudflare Tunnels to sneak malware past firewalls"},"content":{"rendered":"<div>\n<div class=\"grid grid--cols-10@md grid--cols-8@lg article-column\">\n<div class=\"col-12 col-10@md col-6@lg col-start-3@lg\">\n<div class=\"article-column__content\">\n<div class=\"container\"><\/div>\n<p>Another threat group has started abusing the Cloudflare Tunnel service to get phishing emails into targeted organizations without activating conventional defenses.<\/p>\n<p>Dubbed Serpentine#Cloud by the security vendor Securonix, the identity of the threat group behind the campaign is still unknown, as is the exact target list or the sectors they operate in.<\/p>\n<p>All Securonix can say at this point is that the attackers demonstrated a fluency in English and the targets were located primarily in the US, UK, Germany, and other countries across Europe and Asia.<\/p>\n<p>However, the eye-catching part of <a href=\"https:\/\/www.securonix.com\/blog\/analyzing_serpentinecloud-threat-actors-abuse-cloudflare-tunnels-threat-research\/\" target=\"_blank\" rel=\"noopener\">Securonix\u2019 analysis<\/a> is the relative sophistication of the malware payload and the interesting techniques used to deliver it, specifically the use of Cloudflare\u2019s trycloudflare[.]com subdomains, to host attack infrastructure.<\/p>\n<p>Cloudflare Tunnel (formerly Argo Tunnel or Warp Tunnel) has various uses including giving developers a quick way to temporarily connect internal test servers to the Internet without having to expose a local IP address or open a firewall port.<\/p>\n<p>Visitors access a resource using a URL without the need for authentication, which shouldn\u2019t be risky as long as it\u2019s kept private and is only used a brief time.<\/p>\n<p>Unfortunately, attackers have spotted the potential to use the service to host their own attack infrastructure. Several have been spotted using the technique since 2023, including <a href=\"https:\/\/www.csoonline.com\/article\/3618758\/russian-hackers-abuse-cloudflare-tunneling-service-to-drop-gammadrop-malware.html\">Russian threat group BlueAlpha<\/a> last December.<\/p>\n<h2 class=\"wp-block-heading\">Serpentine#Cloud<\/h2>\n<p>The attackers hide their phishing payload behind what looks like a PDF file, but is actually a disguised .lnk Windows shortcut file.<\/p>\n<p>Clicking on this causes the local cmd.exe to launch a multi-stage malware payload through multiple layers of obfuscation before fileless Python shellcode is loaded into memory.<\/p>\n<p>\u201cThe end result is a RAT [Remote Access Trojan] Payload which gives the attackers full command and control over the host,\u201d wrote Securonix threat researcher, Tim Peck, in the company\u2019s teardown.<\/p>\n<p>Using fileless malware means no files are written to disk, which makes it incredibly hard to detect using EDR. Process injection is used to hide the malware inside Notepad.exe, bypassing in-memory scanning.<\/p>\n<h2 class=\"wp-block-heading\">Why is Cloudflare Tunnel being abused?<strong><\/strong><\/h2>\n<p>The appeal of hosting attack infrastructure on Cloudflare Tunnel is that it is incredibly hard to detect or defend against.<\/p>\n<p>First, the tunnel is encrypted using HTTPS which means the only way to see what\u2019s inside it is by using some form of TLS inspection. However, this would need to be configured in advance, completely impractical for an ephemeral connection.<\/p>\n<p>That\u2019s the whole point of tunnelling \u2014 you punch through everything, including firewalls and other network-level security layers.<\/p>\n<p>Second, as a large global Content Delivery Network (CDN), Cloudflare is a trusted domain. That means anything abusing it won\u2019t be blocked using a traditional \u2018bad IP\u2019 static block list. Blocking Cloudflare or trycloudflare[.]com is impractical as it would also stop legitimate use.<\/p>\n<h2 class=\"wp-block-heading\">There are limits to blocking attacks<\/h2>\n<p>In truth, there is no simple way to stop this kind of piggybacking sneak technique.<\/p>\n<p>In theory, one could block the Tunnel subdomain being abused, which sounds appealing but has a major gotcha: these domains are designed to be ephemeral, and attackers can simply configure and cycle through large numbers of them.<\/p>\n<p>The last option is to get Cloudflare itself to block the abuse. That might be successful as long as the company conducts deeper forensic examinations of the connections used to set up malicious domains. By the time this is done, though, the suspect domains will likely have vanished.<\/p>\n<p>In summary: \u201cThe abuse of Cloudflare Tunnel infrastructure further complicates network visibility by giving the actor a disposable and encrypted transport layer for staging malicious files without maintaining traditional infrastructure,\u201d concluded Securonix\u2019s Peck.<\/p>\n<h2 class=\"wp-block-heading\">What to do<\/h2>\n<p>Securonix\u2019s recommendations start with the most basic advice to block attachments and treat any external link as suspicious. That\u2019s easier said than done, of course, although the rise of collaboration systems such as Teams gives employees an alternative way of sharing files that doesn\u2019t involve sending and receiving emails.<\/p>\n<p>Beyond that, it\u2019s a case of turning on more detailed endpoint logging, monitoring software tools when they\u2019re executed from unusual locations and enabling Windows file extension visibility, said Securonix.<\/p>\n<\/div>\n<\/div>\n<\/div>\n<\/div>","protected":false},"excerpt":{"rendered":"<p>Another threat group has started abusing the Cloudflare Tunnel service to get phishing emails into targeted organizations without activating conventional defenses. Dubbed Serpentine#Cloud by the security vendor Securonix, the identity of the threat group behind the campaign is still unknown, as is the exact target list or the sectors they operate in. All Securonix can [&hellip;]<\/p>\n","protected":false},"author":0,"featured_media":3618,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[3],"tags":[],"class_list":["post-3617","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-education"],"_links":{"self":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts\/3617"}],"collection":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"replies":[{"embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=3617"}],"version-history":[{"count":0,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts\/3617\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/media\/3618"}],"wp:attachment":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=3617"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=3617"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=3617"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}