Cloudflare WARP Abused to Hijack Cloud Services, Cado Security Report Reveals
Cado Security researchers have recently unveiled several campaigns exploiting Cloudflare’s WARP service to attack vulnerable internet-facing services. WARP, a free VPN service designed to optimize user traffic, is being leveraged by attackers to mask their true origins and bypass security measures.
WARP tunnels user traffic through Cloudflare’s global network, obscuring the attacker’s IP address and making it appear as though the attack originated from Cloudflare. This tactic not only hinders attribution but also exploits the implicit trust many organizations place in Cloudflare’s IP ranges.
Cado Security’s report details two prominent attack campaigns utilizing WARP:
-
SSWW Cryptojacking Campaign:
The attack initiates by creating a container with elevated permissions and host access. The attacker selects an image already available on the host, bypassing the need to download new images. They then create a Docker VND stream to execute commands within the container. The SSWW script is downloaded from the C2 and executed, performing the following tasks:
- Attempts to stop competing miners’ systemd services.
- Exits if the system is already infected by SSWW.
- Disables SELinux.
- Sets up huge pages and enables drop_caches for XMRig optimizations.
- Downloads an XMRig miner with embedded config, saving it as /var/spool/.system.
- Attempts to download and compile a process hider, saving the binary as /usr/lib/libsystemd-shared-165.so, and adds it to /etc/ld.so.preload, acting as a user-mode rootkit.
- Saves a SystemD unit file for running /var/spool/.system and enables it.
Though WARP provides the attacker anonymity, the IPs consistently originate from Cloudflare’s Zagreb, Croatia data center, suggesting the attacker’s scan server is located in Croatia, while the C2 IPs are hosted by a Dutch VPS provider. The primary advantage for the attacker is the anonymity and reduced suspicion of Cloudflare traffic. Misconfigured systems allowing all Cloudflare traffic may have been compromised, though confirmation is not possible without access to all infected hosts.
-
Opportunistic SSH Attacks:
A surge in SSH brute-force attacks originating from WARP has been observed, often targeting organizations that have mistakenly whitelisted all Cloudflare IP ranges. These attacks have recently begun exploiting CVE-2024-6387. An attacker could use WARP to exploit this vulnerability, bypassing overly trusting firewalls to attack organizations that would otherwise not expose a vulnerable SSH server.
Cado Security has proactively engaged with Cloudflare to address these emerging threats. The primary threat posed by attackers using Cloudflare’s WARP service lies in the inherent trust administrators may place in Cloudflare traffic and the misguided advice to “allow all Cloudflare IPs.” Ensure your organization has not allowed 104.28.0.0/16 in your firewall. Adopt a defense-in-depth approach, and ensure services like SSH have strong authentication (using SSH keys instead of passwords), and are up-to-date. Do not expose Docker to the internet, even if it is behind a firewall.
