Analysis Summary

Cybersecurity researchers have uncovered a concerning trend in which ransomware affiliates and advanced persistent threat (APT) actors are increasingly abusing Cloudflare’s legitimate tunneling service, Cloudflared, to maintain covert and persistent access to compromised networks. By leveraging Cloudflared, attackers can bypass traditional network security tools, which often struggle to detect the encrypted and seemingly legitimate traffic generated by these tunnels. This technique enables adversaries to establish secure, encrypted communication channels that mimic regular traffic, thus allowing them to operate under the radar of most detection systems. The use of a legitimate service adds a layer of credibility to the traffic, making the activity particularly difficult to distinguish from benign network behavior.

According to the researcher, the abuse of Cloudflared has become a preferred tactic among ransomware operators seeking resilient command-and-control (C2) mechanisms. Groups such as BlackSuit, Royal, Akira, Scattered Spider, and Medusa have all been observed incorporating Cloudflared tunnels into their operations. Typically, attackers first gain initial access through vectors like VPN or Remote Desktop Protocol (RDP) exploitation. After compromising the network, they deploy Cloudflared tunnels, extract authentication tokens, and proceed with lateral movement within the environment. Analysts have coined this operational chain the “Cloudflared Abuse Lifecycle,” which outlines the systematic progression from initial access to persistent, long-term infiltration.

These tunnels offer persistent remote access that survives system reboots, network reconfigurations, and administrative interventions. This makes them ideal for prolonged attacks where adversaries wish to retain access over weeks or even months. Moreover, the tunnels are often installed as system services, ensuring they auto-run upon startup. Attackers employ token manipulation and masquerading techniques to evade detection. The Cloudflared tokens themselves are Base64-encoded JSON structures that include an account ID, tunnel ID, and secret key. Notably, the account ID remains consistent across deployments, providing security analysts with a potential indicator of compromise (IOC) to trace the activity across affected systems.

To further complicate detection, ransomware actors disguise Cloudflared processes by renaming executables to mimic legitimate Windows or software update processes. For instance, Medusa ransomware has been seen renaming cloudflared.exe to svchost.exe, while BlackSuit operators have used deceptive names like WGUpdater.exe, AdobeUpdater.exe, and MozillaUpdater.exe. These masquerading tactics exploit the trust that system administrators and security tools place in known process names, allowing the malicious services to blend into the background. This evolving strategy, including its adoption by lesser-known actors like Hunter International, demonstrates a broader movement toward weaponizing enterprise-grade tools to bypass even sophisticated security defenses.

Impact

• Security Bypass
• Gain Access

Remediation

• Only allow approved applications to run on endpoints. Block unauthorized execution of cloudflared.exe and similar tunneling tools.
• Set up detection rules to flag the presence of cloudflared.exe, especially if renamed (e.g., svchost.exe, WGUpdater.exe, etc.).
• Use network monitoring tools to identify unusual encrypted outbound connections, particularly to Cloudflare’s tunnel domains or ports.
• Analyze systems for Base64-encoded Cloudflared token structures. Investigate repeated use of the same account_id across devices as an indicator of compromise.
• Limit local admin rights to reduce the ability of attackers to install persistent services or execute unauthorized binaries.
• Review startup services for suspicious or misnamed processes that could indicate malicious tunnel deployment.
• Use EDR tools capable of detecting masquerading processes, token manipulation, and unauthorized service creation.
• Subscribe to updated IOCs (indicators of compromise) related to Cloudflared abuse from vendors and threat intelligence providers.
• Isolate critical assets and sensitive networks to limit lateral movement if a tunnel is successfully deployed.
• Harden network configurations by disabling RDP, unused VPNs, or any remote access services that could be exploited initially.
• Keep operating systems, VPNs, and remote access tools fully updated to prevent known vulnerabilities from being exploited for initial access.