Serpentine#Cloud is a recently identified malware campaign where threat actors leverage Cloudflare Tunnels to conduct stealthy attacks, bypassing traditional security measures and maintaining persistent, covert access to compromised networks.
How the Attack Works
• Initial Access: Attackers typically start by compromising a Windows system, often using malicious .lnk shortcut files to execute code in memory, which helps evade detection.
• Cloudflare Tunnel Deployment: Once inside, the attackers deploy the Cloudflared client on the victim machine. This tool, intended for legitimate secure remote access, is repurposed to establish an encrypted outbound tunnel from the compromised endpoint to Cloudflare’s infrastructure.
• Command and Control (C2): Through this tunnel, attackers can securely communicate with the infected system, issue commands, exfiltrate data, and move laterally within the network. The encrypted nature of the tunnel, and its use of legitimate Cloudflare infrastructure, makes the malicious traffic appear benign and difficult for security tools to detect.
Why Cloudflare Tunnels Are Effective for Attackers
• Evasion of Security Tools: The encrypted traffic blends in with regular network activity, bypassing firewalls, intrusion detection systems (IDS), and endpoint detection and response (EDR) platforms.
• Persistence: Attackers can maintain long-term access, enabling or disabling tunnel features (such as RDP or SMB access) as needed to avoid detection and reduce their footprint.
• Lateral Movement: Cloudflare’s “Private Networks” feature can be abused to access a wide range of internal IP addresses, furthering the attacker’s reach within the victim organization.
Tactics Used in the Serpentine#Cloud Campaign
• In-memory Execution: Code runs directly in memory, leaving minimal forensic evidence on disk.
• Token Generation: Attackers generate tunnel tokens on the victim machine, allowing them to control tunnel configuration remotely.
• Stealthy Updates: Tunnel settings can be updated in real-time via the Cloudflare dashboard, enabling attackers to activate or deactivate features as needed.
Detection and Mitigation Recommendations
• Monitor for Unauthorized Cloudflared Use: Track installation and execution of the Cloudflared client, monitor for unusual DNS queries, and watch for outbound connections to non-standard ports like 7844.
• Restrict Tunnel Destinations: Limit Cloudflare Tunnel access to specific, authorized data centers and flag tunnels attempting to reach unauthorized destinations.
• Log and Alert on Anomalous Activity: Implement robust logging to detect suspicious commands, tunnel creation, and configuration changes.
