Ransomware cyber

Cloudflare

May 29, 2025 1 min read
Cloudflare

Cybersecurity researchers have identified a growing trend among ransomware affiliates and advanced persistent threat actors who are leveraging Cloudflare’s legitimate tunneling service, Cloudflared, to establish covert access channels into compromised networks. This sophisticated technique allows attackers to maintain persistent access while evading traditional network security controls that typically flag suspicious outbound connections. The exploitation of Cloudflared tunnels has emerged as a preferred persistence mechanism due to the service’s inherent design, which encapsulates data in additional protocols that only the tunnel endpoints can decrypt. This creates a secure communication channel that appears as legitimate traffic to security monitoring systems, effectively providing attackers with what amounts to local network access from remote locations.

Source: https://cybersecuritynews.com/hackers-actively-exploiting-cloudflare-tunnels/

TPRM report: https://scoringcyber.rankiteo.com/company/cloudflare

"id": "clo1006052925",
"linkid": "cloudflare",
"type": "Ransomware",
"date": "5/2025",
"severity": "100",
"impact": "",
"explanation": "Attack threatening the organization’s existence"
{'attack_vector': ['VPN exploitation',
                   'Remote desktop protocol attacks',
                   'Cloudflared tunnels'],
 'description': 'Cybersecurity researchers have identified a growing trend '
                'among ransomware affiliates and advanced persistent threat '
                'actors leveraging Cloudflare’s legitimate tunneling service, '
                'Cloudflared, to establish covert access channels into '
                'compromised networks. This sophisticated technique allows '
                'attackers to maintain persistent access while evading '
                'traditional network security controls.',
 'lessons_learned': 'The legitimate nature of Cloudflared traffic makes '
                    'detection particularly challenging for security teams who '
                    'must differentiate between authorized administrative use '
                    'and malicious exploitation.',
 'motivation': 'Maintain persistent access and establish command and control '
               'channels',
 'ransomware': {'ransomware_strain': ['BlackSuit',
                                      'Royal',
                                      'Akira',
                                      'Scattered Spider',
                                      'Medusa']},
 'references': [{'source': 'Sudo Rem'}],
 'threat_actor': ['BlackSuit',
                  'Royal',
                  'Akira',
                  'Scattered Spider',
                  'Medusa',
                  'Hunter International'],
 'title': 'Abuse of Cloudflare’s Tunneling Service by Ransomware Groups',
 'type': 'Ransomware'}
Published by
Jeremy C
Jeremy C
You might also like
Great! Next, complete checkout for full access to Rankiteo Blog.
Welcome back! You've successfully signed in.
You've successfully subscribed to Rankiteo Blog.
Success! Your account is fully activated, you now have access to all content.
Success! Your billing info has been updated.
Your billing was not updated.