Cybercriminals Exploit Cloudflare Tunnels to Conceal Communications

Hackers are increasingly abusing the Cloudflare Tunnels feature to create hidden HTTPS connections on compromised devices, using them to bypass firewalls and establish a more persistent presence within targeted systems.

What Are Cloudflare Tunnels?

Cloudflare Tunnels is a popular feature that allows users to create secure outbound connections from web servers or applications to the Cloudflare network. Users can set up a tunnel simply by installing one of the available clients for Linux, Windows, macOS, or Docker. Once configured, the service becomes accessible online at a user-specified hostname and can be used for resource sharing, testing, and other purposes.

How Hackers Are Abusing Cloudflare Tunnels

According to experts at GuidePoint, more and more cybercriminals are misusing Cloudflare Tunnels to maintain covert, persistent access to victims’ networks, evade detection, and stealthily exfiltrate data from compromised devices.

Researchers note that establishing a hidden communication channel requires just a single command from the victim’s device, which only reveals the attacker’s unique tunnel token. The hacker can easily modify tunnel settings or enable and disable the tunnel as needed.

Increased Stealth with TryCloudflare

Worse yet, if an attacker wants even greater stealth, they can exploit the TryCloudflare feature, which allows the creation of disposable tunnels without registering an account.

“The tunnel updates as soon as changes are made in the Cloudflare Dashboard, allowing attackers to use the feature whenever they want to perform actions on the victim’s computer, then disable it to prevent their infrastructure from being exposed,” experts explain. “For example, an attacker can enable an RDP connection, collect information from the victim’s computer, and then disable RDP until the next time, reducing the chance of detection.”

Why Detection Is Difficult

Since HTTPS connections and data transfers occur over QUIC (port 7844), it’s unlikely that firewalls or other security solutions will flag this as suspicious unless they are specifically configured to do so.

Risks of Private Networks Feature

GuidePoint also warns that attackers can abuse the Private Networks feature, which allows a hacker who has set up a tunnel to one victim device to gain remote access to the entire range of internal IP addresses.

How to Detect Cloudflare Tunnel Abuse

To detect abuse of Cloudflare Tunnels, GuidePoint recommends monitoring specific DNS queries listed in their report, as well as watching for the use of non-standard ports such as 7844.