Hackers are increasingly exploiting the Cloudflare Tunnels feature to create covert HTTPS connections from compromised devices, bypass firewalls, and maintain long-term persistence. This technique allows threat actors to gain stealthy access to victims’ networks, evade detection, and exfiltrate data. The abuse of Cloudflare’s ‘TryCloudflare’ and ‘Private Networks’ features can also enable attackers to create one-time tunnels and access a range of internal IP addresses remotely. GuidePoint recommends monitoring specific DNS queries and non-standard ports, and tracking file hashes associated with ‘cloudflared’ client releases to detect unauthorized use.
