Recently, several campaigns have been observed using Cloudflare’s WARP service to target susceptible internet-facing services.

The primary advantage of utilizing Cloudflare WARP for an attacker is probably the increased anonymity it provides and the decreased suspicion surrounding traffic associated with Cloudflare

Cloudflare WARP is a VPN that “optimizes” user traffic by utilizing Cloudflare’s international backbone. Since this is a free service, anyone can download and utilize it for personal use. 

In actuality, WARP merely uses a custom WireGuard implementation to tunnel your traffic to the closest Cloudflare data center in an effort to speed up your connection.

“Attacks observed exclusively connect directly to IP addresses rather than Cloudflare’s CDN, with the attacker in control of the transport and application layers. As such, it is not possible to determine the IP of the attackers”, Cado Security researchers shared with Cyber Security News.

Overview Of The SSWW Campaign 

Using Cloudflare WARP to get initial access, the SSWW campaign is a unique cryptojacking effort that targets exposed Docker. 

However, according to the Last-Modified header of the dropped payload, which dates from the previous day, February 20, 2024, the first attack against Cado’s honeypot infrastructure was discovered on February 21st of that year.

This was probably the start of the current campaign.

A container with elevated permissions and host access was built to start the attack. Subsequently, to execute commands within the newly constructed container, the attacker creates a Docker VND stream.

The SSWW script is quite simple and does setup tasks such as trying to stop competing miners’ systemd services, disabling SELinux, ends the campaign if it has already been impacted, and activates drop_caches and common XMRig optimizations.

Downloads an XMRig miner with embedded config and hides the .system process.

“While using Cloudflare WARP affords the attacker a layer of anonymity, we can see the IPs the attacks originate from are consistently originating from the Cloudflare data centre in Zagreb, Croatia”, researchers said.

Given that Cloudflare WARP would use the closest data center, Croatia appears to be the location of the attacker’s scan server. On the other hand, a VPS provider with headquarters in the Netherlands hosts the C2 IPs.

Researchers said it’s likely that certain improperly configured systems that permit all Cloudflare traffic have been infiltrated as a result of WARP’s anonymity, but without access to all affected hosts infected by the malware, it is impossible to determine for sure.

Cloudflare has “publicly stated they do not have any mechanism to review historical data to prevent abuse” and does not seem to have a way for users to report attacks using their abuse form.

“A number of SSH campaigns we have seen previously originating from commonly abused VPS providers now appear to have migrated to using Cloudflare WARP”, researchers noted.

The most recent CVE-2024-6387 is reportedly being used in the wild right now.

An attacker could use this exploit through Cloudflare WARP to target organizations that might not otherwise have their vulnerable SSH server exposed by taking advantage of excessively trusting firewalls.

Recommendation

• Make sure that 104.28.0.0/16 is not blocked in your firewall.
• Adopt a defense-in-depth strategy and make sure services like SSH are up to date and have robust authentication.
• Do not expose Docker to the internet, even if it is behind a firewall.