The Week in Security: Cloudflare Tunnels abuse ramps up, U.K. voter data exposed

Welcome to the latest edition of The Week in Security, which brings you the newest headlines from both the world and our team across the full stack of security: application security, cybersecurity, and beyond. This week: More and more hackers abuse Cloudflare Tunnels for nefarious purposes. Also: The data of countless numbers of Britons was exposed in an Electoral Commission cyberattack.

This Week’s Top Story

Hackers increasingly abuse Cloudflare Tunnels to make stealthy connections

Cloudflare Tunnels, a feature of Cloudflare that enables users to create secure, outbound-only connections to the Cloudflare network, has seen an uptick in abuse from malicious attackers. GuidePoint says that many attackers use Cloudflare Tunnels to gain stealthy, persistent access to a victim's network, evade detection, and exfiltrate compromised data. This expands upon Phylum’s detection of malicious PyPI packages that used Cloudflare Tunnels to steal data and to remotely access devices.

For users to deploy a Cloudflare Tunnel, they must first install an available cloudflare client for Linux, Windows, macOS, or Docker. Once that is done, the service is exposed to the Internet under a user-specified hostname to accommodate legitimate use-case scenarios. However, that ease of creation can easily be abused. Threat actors need only make one simple command (which only exposes the unique tunnel token) from the victim’s device to create a discrete communication channel. The attacker has then fully breached the system and can enable functionality of the tunnel only when conducting activities on the victim’s machine to minimize risk of exposure.

It is unlikely that a firewall or other network solutions will flag these actions unless they are specifically configured to do so. Therefore, to detect unauthorized use of Cloudflare Tunnels, organizations should monitor for specific DNS queries, which can be found in GuidePoint’s report. Security teams can also monitor for the installation of a cloudflare client by looking for file hashes associated with them, which can imply unauthorized access has occurred.

See ReversingLabs research team post demonstrating Cloudflare tunnel abuse: W4SP nests again in PyPI: Same supply chain attack, different distribution method

News Roundup

Here are the stories we’re paying attention to this week.

U.K. voters’ data exposed in Electoral Commission cyberattack (Infosecurity Magazine)

A “complex" cyberattack against the U.K.’s Electoral Commission exposed the personal information of British voters. The attackers managed to breach the server in August 2021 and remain undetected until October of 2022. At this time, it is unknown who those attackers are. Meanwhile, the Electoral Commission remains adamant that the attack will not harm election integrity in any of the upcoming 2024 elections.

Colorado education department confirms ransomware intrusion (The Register)

A ransomware extortionist managed to gain access to the IT systems of the Colorado Department of Higher Education (CDHE), stealing data that goes back as far as 20 years. The type of information taken includes names, Social Security numbers, student identification numbers, and dates of birth. The CDHE is currently launching an internal investigation and has yet to make public the number of affected individuals, the details of the attack, and who they believe is responsible.

New malware campaign targets inexperienced cybercriminals with OpenBullet configurations (The Hacker News)

Experienced cybercriminals have found a new type of victim: beginner hackers. The more experienced cybercriminals use the beginners' desire to buy configurations, a piece of executable code, against them. The attackers advertise their configuration on platforms such as Telegram and hope inexperienced hackers will decide to use them. The configuration is actually malicious, however, launching a remote access Trojan (RAT) capable of stealing sensitive information from the newbies’ servers.

Russian rocket bureau faces cyber-espionage breach; North Korea responsible (Dark Reading)

Cyber-espionage teams linked to the North Korean government — ScarCruft and Lazarus — recently installed digital backdoors into the systems at a rocket design bureau located in Russia. Little is known about what data was stolen, if any, and what information may have been viewed by these teams. Despite the lack of information, the attack shows how far some countries are willing to go to acquire advanced technologies.

Downfall: New Intel CPU attack exposing sensitive information (Security Week)

Downfall, a new Intel CPU attack, leverages a vulnerability tracked as CVE-2022-40982. Like most other CPU attack methods, Downfall can be used by a local attacker or a piece of malware to obtain sensitive information. This attack method also works on cloud environments, allowing an attacker to steal data from other users on the same cloud computer.