return to table of content

Threat actor abuses Cloudflare tunnels to deliver remote access trojans

PhilipRoman
74 replies
1d21h

Getting a bit tired of these headlines about malware "delivery" via link shorteners or similar. Yeah, guess what - people can host files on the internet in various ways, what a shocker.

tw04
59 replies
1d21h

This isn't a link shortener - this is a tunnel so that a user sees they're connecting to cloud flare, even though on the back-end they are landing somewhere nefarious. The end-destination is completely hidden from the end-user (and any security stack their corporation may have in place).

I don't think it's unreasonable for people to expect cloudflare to be policing their own service for malware when they're trying to pitch themselves as a security product.

marcosdumay
33 replies
1d21h

That's mildly valid. We can have some expectations for Cloudfare, but not that they outright police everybody that uses their service.

At the same time, this is exactly some variation of the "random people have put malware on random internet locations" scare the GP was talking about. If "malware somewhere on the internet" is a problem, we have to fix what turns it into a problem, because we just won't fix this one.

AnonymousPlanet
16 replies
1d19h

If certain subdomains keep getting subverted, a valid response is to block all those subdomains, in this case *.trycloudflare.com. It's like IP ranges of countries that don't bother with policing malicious activity.

The consequences for Cloudflare and it's legitimate users might be anything but mild.

josephcsible
14 replies
1d17h

Bad actors also register domains directly under .com, but nobody competent would even think of blocking *.com.

AnonymousPlanet
5 replies
1d17h

What is easy and has limited impact on your own operations will be done. Blocking *.trycloudflare.com is easy on entire fleets of servers and firewalls and has limited impact for, e.g., a company network.

tonetegeatinst
2 replies
1d14h

Imagine trying to use the internet like an end user or a webdev if you couldn't use cloudflare.

Say blocking any cloudflare domain or IP.

Many cuz ur into privacy or your parinoid....who cares why.

sgbeal
1 replies
1d8h

Imagine trying to use the internet like an end user or a webdev if you couldn't use cloudflare.

Anecdote: i've been an internet end user for 30-ish years, an active FOSS developer for most of that time (with no small amount of web dev), and have never once intentionally used CloudFlare (only indirectly, by visiting sites which use it). Not because i'm especially "into privacy or paranoid," but because it's never once been necessary.

doix
0 replies
1d8h

have never once intentionally used CloudFlare (only indirectly, by visiting sites which use it).

And there is the problem. Too many sites are behind Cloudfare, so if you want to block Cloudfare for your organization, your employees will start complaining that the "internet doesn't work".

I have a small dedicated server with OVH that I use as a wireguard based VPN sometimes. The amount of sites that become unusable because of Cloudflare blocking me is insane. The inverse would be true if I blocked Cloudflare.

sulandor
1 replies
1d11h

sad truth

blocklists are effective and now we need things like DoH, 3rd-party dns providers and sketchy vpn's in order to internet

mission fucking accomplished

phone8675309
0 replies
1d3h

People didn't seriously think that privatizing the ownership of the Internet would result in the end-to-end principle being retained, did they?

breakingcups
3 replies
1d10h

People have, however, blocked .tk, .xyz, and other registrars that feature overwhelmingly in malware / scam domain lists.

lynx23
2 replies
1d9h

Not just TLDs. I've seen whole Class A networks blocked after a DDoS, based on the affiliation to a particular (not small) country. Like with covid, you just need a small reason and suddenly, all the freedom in the west goes to hell.

immibis
1 replies
1d6h

Let's not conflate eradicating a deadly virus with eradicating internet access please.

psd1
0 replies
1d4h

And let's also not conflate policing the good old internet with policing today's internet. There is still freedom that could be lost, but it's hard to see for all the trackers and malware.

autoexec
1 replies
1d17h

Most registrars are receptive to abuse complaints and will take down domains quickly if they're being created to host content that violates ToS/AUP

TLDs that are most commonly abused actually do get blocked on a regular basis.

.ru, .io, .xyz, .cf, .tk, .ly, .top and .link are common examples

Many corporate networks block URL shortener services for the same reason

Deathmax
0 replies
1d11h

The operative word being most registrars. If you look at the list of registrars commonly used by bad actors, you can find a list of registrars that are either non-responsive to abuse complaints, or only take action after n days.

tw04
0 replies
18h28m

All of .com? Nope.

But you can bet your ass we block newly registered domains and have an active list of domain reputations - your brand new .com or your axuuasck32213mczo.com malware domain isn't getting through any decent security tool.

If Cloudflare lets this continue, it's only a matter of time before trycloudflare.com's reputation puts them on block lists everywhere.

dredmorbius
0 replies
1d3h

Krebs on Security shared data on absolute and relative phishing abuse by top-level domain in a recent post.

Yes, .com has the highest absolute number of phishing domains, but it also has the overwhelmingly highest number of registered domains period. The relative prevalence is only 24.2, as compared with 2nd-ranked (by absolute score) .top, with a phishing domains core of 422.7. That's still not the highest listed, which is .lol at 577.5.

<https://krebsonsecurity.com/2024/07/phish-friendly-domain-re...>

If you're looking at relative benefit vs. harm from blocking, blocking TLDs with a higher relative (abusive vs. legitimate) domains score gives an additional security benefit.

Reputation-based scoring by TLD, domain, ASN, or basis is likely to become more prevalent over time. We've already been doing that for email for over a quarter century, with the Spamhaus Project being founded in 1998 (it reports abusive email domains).

skybrian
0 replies
1d12h

Wouldn't anyone serious about their website being reachable everywhere get their own domain name?

It wouldn't be an issue for trying it out if you don't block it yourself.

tempest_
12 replies
1d20h

Why should they not be responsible for the things they allow on their service?

(note that I don't necessarily agree but that statement is loaded)

valand
11 replies
1d19h

Must or mustn't they filter customers is a matter of law.

However, putting the responsibility to mitigate this problem in its entirety is very inefficient and ineffective. If Cloudflare would have a team dedicated for this effort, bad actors would simply switch providers, beating $200k/year effort by couple clicks.

Notice that the malware ultimately takes effect when the user executes the file.

This sounds more like an interaction design problem that should be solved in the OS level; the OS interface is one of the logistical bottleneck for the malware delivery path.

tempest_
4 replies
1d19h

It isnt really "putting the responsibility to mitigate this problem in its entirety" on them so much as it is "putting the responsibility to mitigate this problem * on their service * "

Large software companies seem to enjoy passing the buck in recent years if it might impact their profitability which is fine but to say the could not do anything about it incorrect. It may not be feasible to do so an still operate the service but that doesnt mean it isnt possible.

valand
3 replies
1d13h

Ok. I might have misworded my answer, but assuming that cloudflare has to do more about this, what would it be?

fch42
1 replies
1d11h

They should act (on malware et al.) when people report it, https://www.cloudflare.com/en-gb/trust-hub/reporting-abuse/

That said, they're also using the "utility argument" - just as your phone provider won't screen you at every call you make, your electricity provider won't lock your supply until you authenticate use for non-nefarious purposes , your ISP won't content-filter, Cloudflare also says they won't police per-use other than when under explicit legal mandate (court injunctions). That's fair enough, at least to me.

psd1
0 replies
1d3h

Sure, but in this instance, they're offering an anonymous service. Just require a sign-up and a captcha, like you do for all of your other products, FFS. Are they on drugs? Do they want more botnets, to drive DoS mitigation sales?

rocqua
0 replies
1d13h

(not who you are responding too).

Either discontinue the service, or serve each pipe from a subdomain that encodes the original source. Something that lets security tooling block known bad sites, without having them block a lot of legitimate sites.

autoexec
4 replies
1d18h

Everyone running a service on the internet has a responsibility to prevent abuse of that service. They should all have and monitor an abuse@ address where they accept notifications about problems they're causing others and they should act on those notices within a reasonable amount of time. When someone fails in that responsibility they should/will get blocked.

I hadn't heard of trycloudflare.com before, but it's blocked on my network for now. If I need to, I can re-evaluate that later.

Anyone running a service online can get caught off guard and be taken advantage of by scammers and assholes. It's an opportunity to shore up your security and monitoring. The bad actors will eventually move on to abuse easier targets and that's fine. When they do that doesn't invalidate the work someone put into making sure their service wasn't being repeatedly/routinely used to harm others.

EnigmaFlare
3 replies
1d11h

That responsibility only goes as far as other people are willing to block them for not doing it. There's no law of the internet that says you have to, but if your customers can't access your service because their ISP or whatever blocked you, that's when it's your responsibility to yourself to clean it up. If you're too big to block, then it's OK to ignore abuse.

autoexec
2 replies
1d10h

The internet is a community. Some people in a community feel that they have no responsibility to anyone but themselves, which is why we need laws and regulations.

We want service providers on the internet to police themselves and make sure that they're not turning a blind eye to crimes taking place right on their own servers because the alternative is that laws and regulation come into play. There's an argument that internet companies that are too big to block could still be negligent, an accessory to crimes, liable for the very real and significant damages the poor management of their service enabled just so that they could save a little money, etc.

Just like with banks, there are people who would say that if a company is too big to fail/be blocked then they are too big to exist and should be broken up.

Personally, I'd rather that a service provider just do a better job keeping their corner of the internet clean, keeping the people who use their services safer, and preventing their services/equipment/IP space from being used to carry out criminal acts. In the end it'd improve their service, improve their image, make the internet a safer place, and as a bonus it would force criminals to waste their time looking for the a new company who'll be too cheap/lazy to kick them off their services. Hopefully they'll eventually end up only being able to find ones that the rest of us feel we can block.

psd1
1 replies
1d3h

The internet _was_ a community. Now it's a wall of commercial property, riddled with victimising criminals and advertisements that watch you. There are still some communities in there, but the bulk of it is a set of actors with no social interests in common with the users.

The abuse mechanism you describe exists in theory, but... commercial.

There is community between the NOCs of tier 1 ISPs, but they mainly care about routing.

In your picture, I'm imagining, say, CenturyLink stomping on a retail ISP, and I question whether this pans out like swatting. Can I get someone taken down by abusing abuse reports?

autoexec
0 replies
1d1h

I question whether this pans out like swatting. Can I get someone taken down by abusing abuse reports?

Not generally, no. Typically, abuse departments at ISPs don't blindly cut off people's internet access just because someone complains. They require evidence (server logs, message headers, etc) and there will be an investigation as well as multiple communications between an ISP and a user being accused of violating the ISP's terms of service. The same is true when the issue is between ISPs and their upstream providers. Keep in mind too that for both ISPs and upstream providers, everyone is naturally and strongly incentivized to not cancel the accounts of the customers who pay them.

There is one situation where false reports can get someone taken down. DMCA notices have this potential. ISPs can face billions in fines if they refuse to permanently disconnect their customers from the internet based on nothing more than unproven/unsubstantiated allegations made by third party vendors with a long history of sending wildly inaccurate DMCA notices. So far, media companies have been winning in courts and ISPs have been losing or (more often) settling outside of court. Everyone is still waiting to see how the case against Cox ends (https://torrentfreak.com/cox-requests-rehearing-of-piracy-ca...)

rocqua
0 replies
1d13h

There is a solution for this at the OS level. It's domain names, validated through DNS. Those let the user decide if they trust the other side of a connection.

Here cloudflare is showing they should nt be trusted, but because they are so big, we can't act on that. Blocking them would be bad, mocking them is the second best option.

compootr
1 replies
1d20h

but not that they outright police everybody that uses their service.

Same. I think they're getting too big to care, or even to attempt to do so.

ThatMedicIsASpy
0 replies
1d20h

There must be millions of piracy websites using them. Care was never there.

lynx23
0 replies
1d9h

Like Google, who apparently cant be assed to do the most basic automatic checks.

https://youtu.be/dwar6uZUWAo

But you're right, these big money-making companies are such snowflakes that you have to have some compassion with them, right.

paxys
12 replies
1d20h

How is that different from…any website, storage service or hosting provider on the internet?

johnklos
11 replies
1d18h

You can't report it to Cloudflare in any meaningfully straightforward way and expect them to take it down. Even if you go through Cloudflare's incredibly laborious and intentionally problem riddled abuse complaint process, and even if they take down one instance, bad actors can make thousands or tens of thousands (or more), so reporting this does effectively nothing.

Cloudflare is enshittifying the Internet once again.

(I don't care if this gets downvoted by CF fans - not a single one will engage meaningfully about any point asserted here)

paxys
10 replies
1d18h

Like I said, how is it different from Google Drive or Dropbox or OneDrive or S3 or WeTransfer or MegaUpload or Bit.ly or a million similar services anyone can set up in a matter of minutes? If someone shares a random URL and you click on it and download and run an executable on your computer, the server that hosted the file isn't the one to blame.

johnklos
8 replies
1d17h

You can report a link that points to content on Google Drive or Dropbox or OneDrive or S3 or WeTransfer or MegaUpload or Bit.ly. Do you think that links pointing to any of those services are in any way anonymous?

It's not complicated.

paxys
7 replies
1d17h

Report it to who exactly? The internet police?

johnklos
6 replies
1d15h

You report Google Drive links to Google, Dropbox links to Dropbox, OneDrive links to Microsoft, S3 links to Amazon, WeTransfer links to WeTransfer, MegaUpload links to MegaUpload, and Bit.ly links to Bit.ly.

paxys
2 replies
1d7h

I don’t think you know how the internet works if you think you can police every single URL. Ok now I’ve hosted malware on 121.23.65.89. What are you going to do?

lmz
1 replies
1d6h

Run a whois, report to IP block abuse contact?

paxys
0 replies
1d6h

Cool go do this for every suspicious IP you find. Let me know the success rate.

fch42
2 replies
1d10h

and Cloudflare links to Cloudflare, https://www.cloudflare.com/en-gb/trust-hub/reporting-abuse/

Apocryphally saying "they all suck at this but Cloudflare sucks most" is just moaning. Any free/near-free hosting or caching service can be used to distribute malware. Mail services have been used to push malware for decades, and while many of them filter content, that's a cat&mouse game a determined malactor will occasionally win.

Are they really "so much worse" than anyone else ?

(ex-CF so pillory me for ex-cusing my ex-employer; as said, to me, "all cooks use water")

johnklos
1 replies
1d9h

Have you tried to report abuse to Cloudflare?

First, their abuse reporting page has issues. The amount of data allowed to be pasted is very limited and won't allow the full content of most spam. If you paste the full amount, you can't submit, and you won't know why - you have to go and remove some content. It's rate limited so that even a human reporting multiple items has to sit and wait. You're forced to provide a URL that points to Cloudflare servers, meaning there's no way to report abusive domains for which they're the registrar and/or for whom they host DNS. They have a CAPTCHA on the abuse reporting form. I could go on, but it's tedious.

This company spent YEARS saying that they don't "host" anything, and they still play games in that their abuse reporting doesn't reflect any of the offerings that've been added in the last several years. They don't even have a category for spam!

So yes, they are "so much worse" than anyone else. They actively skirt responsibility.

KomoD
0 replies
22h14m

meaning there's no way to report abusive domains for which they're the registrar and/or for whom they host DNS

Yes there is: registrar-abuse@cloudflare.com

This company spent YEARS saying that they don't "host" anything

Yes, for their "proxying" service, they take no action when it comes to that, all they will do is forward the report to the hosting provider.

They don't even have a category for spam

Use the general category or abuse@cloudflare.com

It's rate limited so that even a human reporting multiple items has to sit and wait. [...] They have a CAPTCHA on the abuse reporting form.

Yes, I agree. I reported hundreds of ".pages.dev" sites (hosted by their Cloudflare Pages service), the form restricts it to 1 unique domain per report, so I had to make hundreds of individual reports but they did take them down.

they are "so much worse" than anyone else

I don't agree with this, in my experience they have taken action on some reports meanwhile some other companies have done nothing (DigitalOcean (Doesn't deal with any of my reports, known for being infested with bad actors, now they're the first ASN I block when I'm setting up a firewall), AWS (their customer spammed me for months, tried telling me the email didn't originate from them, but it did.), Dynadot (will not do anything without court orders, warrants) )

autoexec
0 replies
1d18h

Most sites are better about preventing and handling abuse of their service. When a service makes it difficult to report abuse to them, or fails to act on the abuse reports they get, they are the ones to blame.

Scammers and assholes will always exist. It's the responsibility of everyone operating a service on the internet to make sure that their service isn't acting as a safe-haven for those criminals and bad actors.

Google is somehow worse than cloudflare is. I heard recently that Google won't even accept an abuse complaint for docs.google.com unless you create and sign into a google account.

taspeotis
2 replies
1d20h

and any security stack their corporation may have in place

I mean if the security stack misses that (forgivable) but then allows this:

When executed, it establishes a connection to an external file share, typically via WebDAV, to download an LNK or VBS file. When executed, the LNK/VBS executes a BAT or CMD file

It fucking sucks.

autoexec
1 replies
1d17h

Just downloading a LNK or VBS file should be a massive red flag. Whoever decided that it was a good idea to hide file extensions from people by default was an idiot.

BubbleRings
0 replies
1d10h

Whoever decided….

Completely agree. And over the years I have found it sad how many people (some who considered themselves computer experts) I had to explain what extensions are, why they are needed, how to make them show, and etc.

riazrizvi
1 replies
1d18h

Only technical users recognize the name Cloudflare, and they know it’s a hosting service. This concern seems ridiculous to me.

rocqua
0 replies
1d13h

This is about automated systems using domain reputation to block certain downloads.

Their systems are telling them that try.cloudflare.com is not a trustworthy domain, but it is so ubiquitous, that blocking them isn't feasible.

guizadillas
1 replies
1d20h

oh no a tunneling service is used for tunneling /s

psd1
0 replies
1d3h

Well no, it's more like _ubiquitous tunneling service grants anonymous sign-up and thereby disguises origin and commingles traffic that Was Authenticated Somewhere with traffic that Could Be From Anyone, with the effect of opening a hole in your first line of defense_.

If you merely want to be edgy, then well done. Otherwise, a piece of advice, start by understanding the problem.

willcipriano
0 replies
1d20h

user sees they're connecting to cloud flare

I see am connecting to Comcast, it says so right on my modem.

palmfacehn
0 replies
1d10h

DNS filtering, WAFs and curated naughty lists were never more than duct tape at best. I'm sure they are effective, but they don't approach the problem of vulnerable software or end users who download and execute untrusted software. At worst, they created an incentive for alarmist companies to scare users into using their half measures rather than comprehensively addressing the problem.

definitelyauser
0 replies
1d7h

I don't think it's unreasonable for people to expect cloudflare to be policing their own service for malware when they're trying to pitch themselves as a security product.

But you're not the customer, you're the consumer.

Are they pitching themselves as safer for the consumer?

adolph
0 replies
1d4h

The end-destination is completely hidden from the end-user

a proxy server is a server application that acts as an intermediary between a client requesting a resource and the server providing that resource.

https://en.wikipedia.org/wiki/Proxy_server

3np
0 replies
1d11h

I don't think it's unreasonable for people to expect cloudflare to be policing their own service

On the contrary. The tendency of those expectations turning into assumptions is the wider issue.

valand
8 replies
1d20h

At this point --- and speaking for non power-user --- this should be an OS interaction design problem.

Framing cloudflare as the enabler is missing the bigger picture.

I remember back in the day I needed to turn off autoplay on Windows to not get accidentally infected by malicious drives.

No one was insane enough to blame the CD-RW and flash drive manufacturers.

autoexec
7 replies
1d17h

No one was insane enough to blame the CD-RW and flash drive manufacturers.

cloudflare isn't acting like a CD-RW or a flash drive. They're acting like a storefront that sells fraudulent flash drives that say they're 1TB when they're actually 200MB, or don't work at all when you plug it in, or worse catch fire. A storefront that refuses to take the faulty products off the shelves when customers complain, refuses to stop selling merchandise they sourced from criminals, and refuses to do even basic due diligence to make sure the products they sell are legitimate.

People who operate stores have a responsibility to make sure that merchandise they sell to consumers isn't fraudulent and harmful. Companies offering their services online also have a responsibility to make sure that those services aren't being used to push fraudulent and harmful content onto consumers and that they aren't acting as safe-havens for criminals.

valand
5 replies
1d13h

Aside from process host and protocol, what makes it different from, let's say publicly available google drive?

autoexec
3 replies
1d13h

Whatever differences exist between a publicly accessible google drive and an innocuous seeming link to a cloudflare owned domain that takes users to a random malicious server without warning, we can be reasonably sure that those differences are meaningful because these scammers are flocking to the cloudflare service instead of using google drive.

Something about this cloudflare service is really attractive to these scammers in way that google drive isn't. Maybe it's because these scammers just haven't discovered how great google drive is as a malware delivery platform, but I suspect that they have.

Google drive has something of a history for hosting malware. https://www.techrepublic.com/article/google-drive-accounted-...

Now maybe all the attention on how google drive became the hottest place in town to spread malware caused google to get off their ass and do something about the abuse of their online service, and it's become a less hospitable place for criminals than it used to be. Or, maybe google has continued to neglect their responsibility to keep criminals off their service and it's the public who have just gotten more suspicious of the links to google drive in their inboxes making google drive campaigns less effective and its the novelty of cloudflare tunnels that makes them so effective. Maybe it's just easier to create cloudflare links that don't require accounts than it is to keep creating google drive accounts.

Where it matters most though, there really isn't much difference between the two services. Both have a responsibility to keep their services from being used to facilitate crime. Both should respect RFC 2142, but don't. Both can eventually get around to removing links to malware after you report it to them enough while doing basically nothing to stop that same malware from going right back up again at another URL/account. Both have more than enough resources and talent to be doing a much better job at internet abuse handling than they have been. They both just don't care enough to bother.

NavinF
2 replies
1d11h

I quite like the status quo. I don't want Cloudflare or Google to block the files I'm trying to download just because they got a bunch of reports from clueless people or bots.

I want both to behave like dumb pipes. They don't have enough context to make any decisions like the ones you described. Ideally everything would be end to end encrypted so it'd be impossible for them to make the decision for me.

autoexec
1 replies
1d11h

I don't want Cloudflare or Google to block the files I'm trying to download just because they got a bunch of reports from clueless people or bots.

Lots of scammers don't want Cloudflare or Google to block the files they're trying to trick people into downloading either. There are people who feel the same way about spam, that no service provider should have right to block or even flag messages as spam for anyone else. Thankfully, most people disagree and want service providers to act on abuse complaints instead of acting as safe-havens for criminals.

Even dumb pipes need to be maintained when they start carrying something toxic/harmful that isn't supposed to be there. These are nothing like dumb pipes though. They're watching everything you and everyone else does with the service and logging it all. They're collecting every scrap of data they can while we interact with these services and they're happy to use that data when they think it'll put money in their pocket, but much less interested in using it to prevent the harm being done.

It isn't hard to find this stuff. These types of scammers are not usually very subtle. In this case they're linking to .LNK and .VBS, but scammers using these kinds of services are doing things like repeatedly uploading the exact same malware infected file, or not even bothering to modify their phishing sites each time they reupload them, or using the same keywords/broken english in their spam, etc.

These companies could automate checking to see what's at the other end of a generated link, or run a quick AV scan on an uploaded file, or to look for domains that are registered with misspellings of banks and online shopping companies, or to see if the hash of recently uploaded content matches something they recently had to take down because it violated the law and/or their own ToS/AUP.

I'm not even suggesting that they take something offline immediately if they find something, just flag it for review by an actual human with eyes and a brain and have enough humans available that it doesn't take long before that review happens. Make it easy for people to send reports of internet abuse. It's not hard to act like responsible members of the internet community, it's just takes work.

adolph
0 replies
1d4h

Even dumb pipes need to be maintained when they start carrying something toxic/harmful that isn't supposed to be there.

Quis custodiet ipsos custodes?

https://en.wikipedia.org/wiki/Quis_custodiet_ipsos_custodes%...

In this case they're linking to .LNK and .VBS, but scammers using these kinds of services are doing things like repeatedly uploading the exact same malware infected file

It sounds like you advocate for proxy servers to inspect traffic at the application layer. Is that right?

In the OSI reference model, the communications between systems are split into seven different abstraction layers: Physical, Data Link, Network, Transport, Session, Presentation, and Application.

https://en.wikipedia.org/wiki/OSI_model

psd1
0 replies
1d2h

I can, as a google admin, block links from outside the org; or, as a non-google admin, block google docs. The business may decide not to block, but if I have good SIEM then I can still do something, possibly inspect the file before it hits the user's desktop.

I can't block cloudflare, unless I'm willing to block half the internet. If I try to do additional inspection, I've got huge amounts of noise and I'm going to make the internet unusably slow.

Dylan16807
0 replies
1d12h

A file host is one or two orders of magnitude less involved than a store that stocks and sells products.

And if anything a file proxy is even further away.

__MatrixMan__
2 replies
1d4h

I find it bonkers that we have settled on a design for browsers under which merely clicking a link is enough to expose you to a malware threat.

It's like we received the good advice:

don't eat things you can't identify

but somewhere along the way we got our wires crossed so now it's

don't look at things you can't identify

But we're still acting like only an idiot would ever fail to adhere to this perfectly reasonable advice, when actually it's a recipe for having users with no idea what a real threat actually looks like.

Much better would be if you can safely click all links (just don't, you know, run it or whatever the dangerous action is) so that you can annotate what you find there as either threatening or trustworthy--the better to help out your peers.

psd1
1 replies
1d2h

Well, hyperlinks, SMTP, browser scripting (less so): these things come from a time when the internet was a community, not a venue for crime. The first viruses were from clever under-socialised children. It was a playground and everyone was safe.

Now we regret our naivety, but it's too late to take a systemic approach. It's all grandfathered in.

__MatrixMan__
0 replies
17h52m

I think that sooner or later, the threats will become sophisticated enough to ungrandfather it.

RockRobotRock
1 replies
1d17h

It would be nice if Cloudflare tried a bit harder to respond to abuse reports.

I don't think they've ever acted when I've reported obvious phishing and malware hosting to them.

jeroenhd
0 replies
1d9h

I don't think I've ever seen an abuse report to anyone have a direct consequence. Phishing URLs I've reported never get added to any phishing lists, malware reports seem to go to /dev/null, and reporting spammers to their hosting services/registrars only seems to increase the amount of spam received.

Cloudflare should do better, but so should the entire industry. I get why companies selling security software report on this stuff, but this stuff is just a consequence of the internet allowing inbound connections sometimes.

The takeaway from this isn't "Cloudflare bad", but "block trycloudflare.com in your DNS server unless your devs use it for some reason". Same with Ngrok and any other dev tool like that.

dang
51 replies
1d23h

[stub for offtopicness. title casing software begs forgiveness.]

robertlagrant
41 replies
1d23h

[flagged]

jsheard
38 replies
1d23h

If history is any indication you can probably keep having the nice thing, because CF tends to look the other way when bad actors abuse their infrastructure.

dingnuts
22 replies
1d23h

oh really? according to who? and for what business purpose?

twisteriffic
7 replies
1d22h

Cloudflare has been in front of _every_ phishing site targeting my org for the past year. Their response to reports is always "we're just a pass through, not our problem". The attackers know that CF won't take action against them, and that using CF will slow down any response or takedown request.

lovethevoid
5 replies
1d21h

Unless CF is actually hosting the site, which is rare, the most they can do is no longer act as pass through. In which case, your problem isn't actually solved, they just move to another provider who offers similar.

You instead want to be talking to browser and search engine providers and reporting there, as well as your government for illegal activities.

twisteriffic
3 replies
1d20h

They aren't a passthrough, though. That wouldn't be a valuable service. They're providing a service to criminals that assists them in fraud, and refusing to take any action when notified. It adds hours or days to a takedown process. It's like they're standing outside the mall handing the bike thieves branded hacksaws.

We've had better luck getting random Moldovan ISPs to shut down service than we've had in getting CloudFlare to give a damn.

lovethevoid
2 replies
1d20h

They are quite literally a MITM passthrough. The example you used doesn't make any sense either, it would be more like them handing everyone hacksaws and you getting mad at them over the fact some people are using them for bad things.

Again, get a court order and they'll take action. They are legally required to. Random Moldovan ISPs don't operate at the scale CF does, no wonder they were faster. Probably also easier to bribe as well ;)

janc_
1 replies
1d19h

The fact that they block some people from accessing the websites behind their service negates their claims to be "just a passthrough"…

Dylan16807
0 replies
1d12h

Okay, their main service is a passthrough with a sprinkle of blocking on top.

GGP is asking for more blocking, so I don't think they mind that particular reason.

mschuster91
0 replies
1d20h

Unless CF is actually hosting the site, which is rare, the most they can do is no longer act as pass through. In which case, your problem isn't actually solved, they just move to another provider who offers similar.

Well, if at least the Big Five (CF, Akamai, AWS, GCP, Azure) could get their shit together and cooperate against the bad actors, using netblocks against hostile IP ranges (both egress and ingress) could start making sense again.

jonathantf2
0 replies
1d20h

I find that the domain registrar takes action more often than not (I guess because they're bound to ICANN's regulations), then the moment the domain is stopped Cloudflare sends an automated e-mail saying that they don't host the website because the DNS records stopped resolving.

jsheard
7 replies
1d23h

Of the 10 highest ranked "stresser" (DDoS-for-hire) services on DuckDuckGo right now, 9 of them are using Cloudflare.

jetstress.net - Cloudflare

maxstresser.com - Cloudflare

neostress.cc - Cloudflare

quezstresser.ru - Cloudflare

rawstresser.net - Cloudflare

stresse.net - Cloudflare

stresser.su - Cloudflare

stresser.zone - Cloudflare

stresserst.su - DDoSGuard

sunnystresser.com - Cloudflare

I could keep going but you get the point. This has been ongoing for years and they consistently ignore abuse reports.

Given that CFs bread and butter is selling DDoS mitigation this is a blatant conflict of interest.

robertlagrant
5 replies
1d21h

Is the problem that the stressor services don't have robust KYC?

jsheard
3 replies
1d21h

Legit load testing services like loader.io require you to prove you own the site you are targeting, yes. "Stressers" let you point their orbital laser at whatever you want, they might say it's only meant for use against your own servers but that's just an ass-covering pretense.

robertlagrant
2 replies
1d21h

Sure. But that's what I'm asking. Why blame Cloudflare rather than the companies themselves?

jsheard
1 replies
1d21h

DDoS providers and other for-profit miscreants are incentivized to DDoS each other into oblivion, and Cloudflare is the only one of the giant mitigation providers who are willing to protect them from their competition. There are bulletproof alternatives like DDoSGuard but their network is absolutely nowhere near as expansive as CFs is, nor is it free to use, nor do they have enough legit customers to rule out blocking their entire ASN in a corporate filewall to stop phishing attacks. CFs share of the blame is for making bad actors lives much easier than it should be.

Dylan16807
0 replies
1d12h

I feel like the portion of blame for stopping criminals from attacking each other is pretty low.

duskwuff
0 replies
1d19h

That would imply that those services have legitimate use cases. Most of them don't, and they're well aware of it.

readyplayernull
0 replies
1d21h

Given that CFs bread and butter is selling DDoS mitigation this is a blatant conflict of interest.

There is no conflict when the goal is making money. They'll be glad to look the other way.

r1ch
4 replies
1d23h

Search for "stress tester" and almost every ddos-for-hire site you find will be protected by Cloudflare.

dingnuts
2 replies
1d22h

so report them? this is like complaining that their domains are registered by GoDaddy, or their packets are delivered through the Internet by hurricane electric, or their local power company keeps their lights on

jsheard
1 replies
1d22h

From what I've heard, if you send an abuse report to Cloudflare they just forward it to the owner of the service you are reporting, without redacting any personal information you provided, opening you up to reprisal. They won't actually do anything unless legally mandated to.

ziddoap
0 replies
1d22h

They won't actually do anything unless legally mandated to.

This is a good thing, and pretty refreshing compared to the kafka-esque scenarios that Google and others offer when shutting down entire businesses based on the whims of some blackbox AI detection system or fraudulent DMCA notice.

janc_
0 replies
1d19h

The more DDoS there are, the more business CF gets. Take your own conclusions…

ozr
13 replies
1d22h

Good. It should require a court order to take someone offline.

jsheard
9 replies
1d22h

I think we both know that bad actors can spin up new Cloudflare accounts a few order of magnitudes faster than the courts can take action against just one.

It's not much of an ask to at least keep DDoS providers out, even from a free speech absolutist position it's a stretch to say that DDoS should be protected speech.

lcnPylGDnU4H9OF
5 replies
1d22h

I think the suggestion in the parent comment leaves room for a court order that bars providing service to certain individuals/organizations.

jsheard
3 replies
1d22h

That would require Cloudflare to have a KYC policy which exposes the individual/organization behind an account, and they don't do that either.

If DDoS4U gets banned they can just rebrand as DDoS4Less and CF is (willingly?) none the wiser that it's the same people behind it.

thefifthsetpin
1 replies
1d22h

KYC := know your customer

mozman
0 replies
1d20h

aka get their real id

ensignavenger
0 replies
1d22h

Malicious actors could spin up new accounts whether or not CF bans malicious accounts without a court order. Requiring a court order would have no bearing on CF's ability to prevent duplicate accounts.

cortesoft
0 replies
1d22h

That sort of court order would end this entire product feature. You can't have accountless tunnels if you have to be able to bar specific individuals or organizations.

lovethevoid
2 replies
1d21h

DDoS isn't protected by Cloudflare and is already illegal, hence the court orders which get them to act.

What you are asking for is KYC to be implemented.

gnfargbl
1 replies
1d21h

Is that so unreasonable? If I agree to forward someone's mail you would probably expect me to do some basic sanity checks in order to establish whether I am likely to be forwarding IRS documentation or anthrax. Why does the internet always get a pass on established societal norms?

lovethevoid
0 replies
1d20h

Depends on if you're ok with the tradeoffs of KYC as they require comprehensive identity verification, and depending on service changes to structure to adhere to a per-person account model.

weberer
0 replies
1d8h

Ironically, Cloudflare removed DDoS protection from KiwiFarms without a court order due to a political pressure campaign.

scrame
0 replies
1d22h

court order by who?

01HNNWZ0MV43FF
0 replies
1d22h

I have to provide services to anyone with money?

tonetegeatinst
1 replies
1d22h

Counter argument and hear me out please.

Just because a few bad actors cause harm shouldn't mean everyone should be losing rights and giving up bits of their freedom because someone ruined it for everyone else.

Didn't matter what it is: weapons, or fireworks, or even the right to code. Sacrifice of everyone's rights and freedom to choose all in the name of reducing the odds of something happening seems odd. The very regulation of what someone can and can not do, while it might theoretically reduce risk (an argument for correlation not causation exists here) can't possibly oughtweigh the fact your restricting people free will and autonomy. The constant regulation and restriction of thing is our life only stifle innovation, act as barriers to entry, and force the creativity out of peoples lives.

CodeWriter23
0 replies
1d22h

I call it optimizing for the corner cases.

LoganDark
4 replies
1d23h

I thought this was a terrible pun about using tunnels to deliver rodents, not delivering remote access trojans. I don't know which I would have liked better

barryrandall
3 replies
1d23h

Rodent-over-IP would be a fascinating read.

CamelCaseName
1 replies
1d23h

Now everyone knows my YC 25 idea

cedws
0 replies
1d22h

It would never receive funding, viruses spread too quickly.

chatmasta
0 replies
1d21h

There’s actually a (really superb) Rust library/program for creating reverse tunnels over TCP, that’s called Rathole [0]. We used it [1] at my last startup and were mildly worried that one day we’d need to explain to a security auditor why we had a dependency called “rathole…”

[0] https://github.com/rapiz1/rathole

[1] https://www.splitgraph.com/jumpstart/tunnel

teddyh
2 replies
1d23h

Remote Access Trojans, not rodents.

mikestew
1 replies
1d23h

Original title has “RATs”, but that seemed to have gotten edited/autocorrected away when it got to HN. Because, damn, that’s a hack I want to read about.

stavros
0 replies
1d23h

I was really eager to see how they delivered rodents via Cloudflare, but my hopes were dashed.

ASalazarMX
0 replies
1d22h

Original title was "Threat Actor Abuses Cloudflare Tunnels to Deliver Rats", and even if I knew about malware through Cloudflare tunnels, it got my hopes too high.

anonym29
8 replies
1d14h

Cloudflare has been infamous among sysadmins and threat hunters for over a decade [1,2] now for having an almost-nonexistent moderation program. Their services have been routinely abused by malicious actors for years [3,4,5,6,7] They've arguably been the single largest commercial provider for criminals globally over that time period, including non-tech criminals like drug traffickers and actual terrorists [8,9], to say nothing of aiding and abetting war criminals [10].

In fact, Cloudflare is actually the second largest DNS provider in the world by number of domains served. [11]

They are in a position to log and analyze all of the traffic they decrypt, including all of the plaintext POST data, all of the cookies, all of the origin IPs, L7 payload sizes, and traffic timestamps for over 35 million websites.

Their extensive history of indiscriminately offering "free" services to evildoers likely ties back to their true purpose, which Matthew Prince has admitted to [12], which is to sell all of those passwords, all of that PII, all of your privacy, not only to the US government, but also to other bidders.

It is no exaggeration to say that anyone opposed to spam, phishing, malware, cybercrime, terrorism, war crimes, government surveillance dragnets, and infringements upon one's own digital privacy should have nothing but utter contempt for the soulless monsters responsible for this corporate atrocity.

If you are as passionate about the subject as I am after reading some of these citations, I'd encourage you to boycott any websites using CF that you don't need to visit, and make plenty of phone calls to California senators, representatives, and the governor demanding that the state of California revoke Cloudflare's corporate charter and right to conduct business in the state.

[1] https://www.malwarebytes.com/blog/news/2014/12/free-ssl-cert...

[2] https://forum.spamcop.net/topic/14194-cloudflare-bulletproof...

[3] https://thehackernews.com/2023/08/cybercriminals-abusing-clo...

[4] https://www.threatdown.com/blog/cloudflare-tunnel-increasing...

[5] https://any.run/cybersecurity-blog/clouflare-phishing-campai...

[6] https://venturebeat.com/security/rogue-ad-network-site-likel...

[7] https://portswigger.net/daily-swig/cybercriminals-use-revers...

[8] https://www.trendmicro.com/vinfo/us/security/news/cybercrime...

[9] https://cyberscoop.com/cloudflare-ipo-terrorism-narcotics/

[10] https://www.timesofisrael.com/us-firm-helps-hamas-netanyahu-...

[11] https://bgp.he.net/report/tophosts

[12] https://0xacab.org/blockedbyriseup/deCloudflare/-/raw/master...

rfl890
4 replies
1d11h

They are in a position to log and analyze all of the traffic they decrypt, including all of the plaintext POST data, all of the cookies, all of the origin IPs, L7 payload sizes, and traffic timestamps for over 35 million websites.

And equally so is whoever they trust to provide the hardware to host their website on. Most of the time, it's someone else.

(edit: Your last source is laughable. Some real conspiracy theory shit)

tzs
1 replies
1d2h

His last source is a word for word excerpt from a BBC article about Cloudflare, with the information coming directly from their reporter talking to the founder of Cloudflare. As far as I can tell the only thing the site he linked to added was they underlined some phrases.

When you say it is conspiracy theory shit (CTS) do you mean that what the text says is CTS, or do you mean that whatever inference the site that copied the text from the BBC is trying to get you to infer from their underlining is CTS?

rfl890
0 replies
21h42m

The latter. For example, what is "tracked them” (going off memory here) even supposed to imply? Log the spammer email address and send it off whereever (which most mail services do), says the context. Just looks like a poor attempt to make cf look bad, unlike the others which cite real incidents

anonym29
1 replies
1d5h

And what do you reckon the chance is that Azure and AWS and GCP are extracting ephemeral TLS session keys for every inbound HTTPS traffic stream bound for their customers, and decrypting every single stream?

The chance that cloudflare is getting access to all incoming traffic in plaintext is 100%.

rfl890
0 replies
21h35m

Didn't mention anything about chances. If these companies wanted they could decrypt all traffic and it's easier than how you said (just swap out a web server binary or something). Although i must admit cloudflare has a worse track record

server_man3000
1 replies
1d11h

Your sources are ass man. Yah newsflash, CF is a hosting site and people make phishing pages. This shit is true with literally any cloud provider today that’s relevant on the internet.

anonym29
0 replies
1d5h

The difference is, legitimate non-criminal providers don't flagrantly ignore abuse reports, but thanks for leading with a petty criticism of my citations rather than refuting the core of my argument, which you can't do.

edm0nd
0 replies
1d2h

They earned the nickname 'crimeflare' for a good reason and rightfully so.

peanut-walrus
4 replies
1d3h

The times where malicious software was served from a sketchy .ru domain or a naked IP address located at some bullet-proof hosting provider are long gone. The threat actors use the same infra as everyone else - GCP, AWS, Azure, Cloudflare, etc.

They also use the same VPNs for connecting to your machines as your grandparents do for watching Netflix.

The internet as a whole is slowly but steadily moving towards a model where IP addresses and domain names are not useful indicators for security. You can not block your users from visiting Cloudflare or AWS IP ranges and you can not block visitors to your site from major commercial VPN providers.

In addition, all the traffic is encrypted, name lookups are encrypted, so a network operator can not tell anything about what you are doing on the internet.

This is a good thing for multiple reasons. First, it improves privacy and anonymity for the internet users. Second, reducing the effectiveness of network security solutions will make us be able to phase out their usage, which makes the network dumb again and prevents ossification. And third, it forces us to tackle the underlying security issues, rather than supporting a whole industry of ineffective whack-a-mole.

skeaker
0 replies
20h20m

The potential downside in my eyes is that regulators won't want to wait for the underlying issues to be solved and will instead opt for more aggressive identification. The worst case scenario is if the whole internet became like Facebook, requiring an account that's inextricably linked to your real identity just to view anything.

entropie
0 replies
20h28m

You can not block your users from visiting Cloudflare or AWS IP ranges

Iam pretty sure reddit does. I recently needed to rewrite/patch my tumblog backend software that uses yt-dlp to download reddit videos because reddit blocked the ip ranges of hetzners dedicated servers.

I circumvented this by downloading the videos on the client via javascript and upload it to my server.

archerx
0 replies
6h39m

you can not block visitors to your site from major commercial VPN providers.

You can if you can figure out their IP ranges. Some websites already do it and it is something I am looking into.

Another thing worth doing is blocking TOR by getting the exit node ip address list. Blocking TOR has saved me a lot of grief from bad actors.

Nextgrid
0 replies
4h32m

The times where malicious software was served from a sketchy .ru domain or a naked IP address located at some bullet-proof hosting provider are long gone. The threat actors use the same infra as everyone else - GCP, AWS, Azure, Cloudflare, etc.

I guess that's a consequence of law enforcement being completely unable or unwilling to actually tackle online crime (as long as it's not inconveniencing a large corporation in very specific domains such as copyright).

Why bother with bulletproof/etc hosts or sketchy domain registrars when you can use a mainstream one and get away with it?

Terr_
3 replies
1d11h

When it comes to "nobody wants to spend enough money to do moderation and anti-abuse well", it makes me wonder: Whatever happened to early PGP-era ideas that we'd somehow establish new webs of distributed trust and distrust of online identities?

I guess we sorta kinda have a little of that in the form of social-media accounts that get "trusted" based on the number of followers and their followers' followers and bots all the way down, etc. Or PageRank and SEO exploitation.

stingraycharles
1 replies
1d5h

Society better figure something out soon, because with all these ultra realistic deepfakes coming up, we better have a way for people to establish whether the source is authentic or not.

rustcleaner
0 replies
21h34m

Nah, the ambiguity is exhilarating! :^)

tommek4077
0 replies
1d5h

Everyone who is capable of your suggestion is not dumb enough to install a trojan in the first place.

xyst
2 replies
1d21h

I wonder if those dreaded endpoint security programs (ie, ClownStrike) would have picked up on this type of attack.

I guess this type of traffic would only get flagged if attackers were skids (ie, re-using known RATs)

fragmede
0 replies
1d16h

Picked up? You'd configure Crowdstrike to stop any random exe from running at all. Doesn't matter if the attacker's using a known bad exe or not.

aio2
0 replies
1d20h

Clownstrike goes crazy

rolph
2 replies
1d22h

this reminds me of when those AOL free trial account disks were all over the place. in many circles an AOL subdomain would get instabanned

mrinfinitiesx
1 replies
1d21h

Even the *.ipt.aol.com ban was needed because one AOLer would use the HOST.ipt.aol.com rdns to ban evade and ruin it for everybody.

Prodigy / CompuServe / Blue Light gang checking in

julesallen
0 replies
1d

Prodigy, haven't thought about that in a lot of years, thanks for the memory tickle. Even with the painted-with-bricks interface.

GEnie was another that was kind of fun. And I still can remember my CompuServe number!

lemax
1 replies
1d19h

Isn't this what happens to every free quick tunnel product? Was kinda just waiting for this to play out. ngrok had nice zero friction tunneling when it came out but then they had to put everything behind a sign-up flow due to the same sort of abuse.

ocdtrekkie
0 replies
1d19h

I would be disappointed in the attackers if it didn't. Free end-to-end encryption without any accountability tying it to a user? It's begging for abuse.

wiradikusuma
0 replies
1d4h

I guess this is why we can't have nice things on the internet (in this context, nice things from Cloudflare). Did you know you could send emails for free from Cloudflare (https://blog.cloudflare.com/sending-email-from-workers-with-...)? Well, now you couldn't. The sunsetting probably was not Clouldflare's fault, but it's more or less similar: nice service, abused.

sebstefan
0 replies
1d11h

If it isn's Cloudflare tunnels, it's gonna be asking google to translate some webpage you host with a payload in the URL or something

This isn't news worthy

neodymiumphish
0 replies
1d18h

I actually wrote about malicious use of this very tool a year ago[0] (almost to the day). The only thing new here seems to be what they’re doing through the tunnels, and the apparent success they’re having with this method for it to increase as a proportion of their overall attack techniques.

TryCloudflare, IMO, is the real problem here. It doesn’t require an account at all, so attribution becomes nearly impossible.

0: https://www.guidepointsecurity.com/blog/tunnel-vision-cloudf...

lacoolj
0 replies
1d1h

My immediate internal spam/scam alarm goes off the moment I see "I hope this message finds you well"

jasongill
0 replies
22h40m

For a long time, Cloudflare had a feature where you could "preview" custom CSS and HTML intended for use with their custom error pages. Basically, the preview feature just took CSS and HTML in a query string and then displayed it on cloudflarepreview.com/....

I reported it and showed how you could trivially create a page that said "Sign in to your Cloudflare account to get access to the Cloudflare beta preview!" and capture Cloudflare login credentials.

The bug bounty was closed as they said it was "accepted as the nature of the cloudflarepreview playground".

Then they fixed it by adding a JWT token to the URL (and no bounty paid).

I've been a Cloudflare customer for a long time but it seems that there are many dark corners of their products that just don't get a lot of attention until they are abused, and I suspect this TryCloudflare thing is one of them.

edm0nd
0 replies
1d2h

Crimeflare strikes again.