Recently, several malicious campaigns have been observed leveraging Cloudflare WARP to exploit vulnerable internet-facing services. Cloudflare WARP, a VPN that optimizes user traffic through Cloudflare’s global backbone, provides attackers with increased anonymity and reduced suspicion due to its association with legitimate Cloudflare traffic. Utilizing a custom WireGuard implementation, WARP tunnels traffic to the nearest Cloudflare data center, ostensibly to enhance connection speeds.

Cloudflare WARP’s Role in Recent Attacks

According to Cado Security researchers, these attacks exclusively connect directly to IP addresses rather than using Cloudflare’s CDN. This method, controlled by the attacker at both the transport and application layers, makes identifying the attackers’ IP addresses impossible. One notable campaign, dubbed SSWW, is a unique cryptojacking effort targeting exposed Docker services.

Details of the SSWW Campaign

The SSWW campaign gains initial access via Cloudflare WARP. The first attack on Cado’s honeypot infrastructure was detected on February 21, 2024, with payload timestamps indicating activity began on February 20, 2024. Attackers create a Docker container with elevated permissions and host access, then execute commands within this container using a Docker VND stream.

Technical Breakdown of the Attack

The SSWW script performs setup tasks, such as stopping competing miners’ services, disabling SELinux, and optimizing XMRig miner performance. The attack downloads an XMRig miner with embedded configuration and hides it as a .system process.

Anonymity and Tracing the Attackers

Despite Cloudflare WARP providing a layer of anonymity, researchers have traced attack origins consistently to Cloudflare’s data center in Zagreb, Croatia, suggesting the attacker’s scan server location. However, the C2 IPs are hosted by a VPS provider in the Netherlands. Researchers speculate that misconfigured systems allowing all Cloudflare traffic have been compromised, but without access to all infected hosts, definitive conclusions remain elusive.

Challenges in Preventing Abuse

Cloudflare has stated they lack mechanisms to review historical data to prevent abuse and do not offer a way to report attacks using their abuse form. Notably, prior SSH campaigns originating from commonly abused VPS providers now appear to utilize Cloudflare WARP.

Current Exploits and Vulnerabilities

The latest CVE-2024-6387 is actively exploited in the wild, enabling attackers to target organizations through excessively trusting firewalls.

Recommendations for Mitigation

1. Ensure that the IP range 104.28.0.0/16 is not blocked in your firewall.
2. Adopt a defense-in-depth strategy, keeping services like SSH up to date and using robust authentication methods.
3. Avoid exposing Docker to the internet, even if it is behind a firewall.

By understanding and mitigating the risks associated with Cloudflare WARP, organizations can better protect their internet-facing services from sophisticated cyber threats.