Cybersecurity experts have uncovered an alarming trend among ransomware groups and advanced threat actors exploiting Cloudflare’s tunneling tool, Cloudflared, to quietly infiltrate and persist within compromised networks.
By leveraging this legitimate service, attackers create encrypted tunnels that appear as normal network traffic, effectively bypassing conventional security measures. The encrypted Cloudflared tunnels allow for continuous remote access that blends into authorized traffic, making detection extremely difficult.
Groups like BlackSuit, Royal, Akira, Scattered Spider, and Medusa have widely adopted this method. After gaining initial access—often through VPN or RDP vulnerabilities—they install Cloudflared to deploy tunnels, extract tokens, and move laterally across networks.
Researchers from Sudo rem have mapped this into a full “Cloudflared Abuse Lifecycle,” noting how attackers maintain long-term access by embedding tunnels as startup services. These tunnels often survive reboots and network resets, ensuring persistent control.
The attackers also manipulate Cloudflared tunnel tokens, which are Base64-encoded JSON files containing identifiers that, if tracked, can indicate compromise. However, adversaries have responded with clever obfuscation tactics. For instance, Medusa renames the tunnel executable to mimic system files like svchost.exe, while BlackSuit disguises it as software updaters such as AdobeUpdater.exe or LogMeInUpdater.exe—a tactic that tricks many security systems.
Security teams are now facing the challenge of distinguishing between legitimate admin usage of Cloudflared and its malicious abuse. Though intelligence on some actors like Hunter International remains scarce, the broad adoption of this technique signals a growing trend in the weaponization of enterprise tools.
Cyber defenders are urged to tighten monitoring around tunneling activities, scrutinize unusual service names, and investigate persistent account identifiers to stay ahead of these stealthy intrusions.
Stay ahead of emerging cybersecurity threats. For the latest insights and updates on cloud security, follow SOC News.
News Source: CybersecurityNews.com
