Headline
Russia's 'BlueAlpha' APT Hides in Cloudflare Tunnels
Cloudflare Tunnels is just the latest legitimate cloud service that cybercriminals and state-sponsored threat actors are abusing to hide their tracks.
Source: Classic Image via Alamy Stock Photo
NEWS BRIEF
BlueAlpha, a Russian state-sponsored advanced persistent threat (APT) group, has recently evolved its malware delivery chain to abuse Cloudflare Tunnels — with the goal of ultimately infecting victims with its proprietary GammaDrop malware.
Cloudflare Tunnels is, as its name suggests, a secure tunneling software. It can be used to connect resources to Cloudflare’s network without using a publicly routable IP address, with the goal of protecting Web servers and applications from distributed denial-of-service (DDoS) and other direct cyberattacks, by hiding their origins.
Unfortunately, this obfuscation mechanism, like other legitimate cloud tools, can also be used by the likes of BlueAlpha, which uses Cloudflare Tunnels to conceal its GammaDrop staging infrastructure from traditional network detection mechanisms, according to Recorded Future’s Insikt Group.
“Cloudflare offers the tunneling service for free with the use of the TryCloudflare tool,” according to an analysis published this week from Insikt. “The tool allows anyone to create a tunnel using a randomly generated subdomain of trycloudflare.com and have all requests to that subdomain proxied through the Cloudflare network to the Web server running on that host.”
The APT then uses the concealed infrastructure to mount HTML smuggling attacks that bypass email security systems, along with employing DNS fast-fluxing, which makes it more difficult to disrupt BlueAlpha’s command-and-control (C2) communications, Insikt Group researchers noted — and in the end, deliver the GammaDrop malware, which enables data exfiltration, credential theft, and backdoor access to networks.
BlueAlpha, which shares DNA with other Russian threat groups like Trident Ursa, Gamaredon, Shuckworm, and Hive0051, first emerged in 2014, and has lately targeted Ukrainian organizations via spearphishing campaigns. The APT has used the custom VBScript malware GammaLoad since at least October 2023.
To protect against such attacks, Insikt Group recommended several mitigations, including:
Beef up email security to block HTML smuggling techniques
Flag attachments with suspicious HTML events
Use application control policies to block malicious use of mshta.exe and untrusted .lnk files
Set up network rules to flag requests to trycloudflare.com subdomains
About the Author
Tara Seals has 20+ years of experience as a journalist, analyst and editor in the cybersecurity, communications and technology space. Prior to Dark Reading, Tara was Editor in Chief at Threatpost, and prior to that, the North American news lead for Infosecurity Magazine. She also spent 13 years working for Informa (formerly Virgo Publishing), as executive editor and editor-in-chief at publications focused on both the service provider and the enterprise arenas. A Texas native, she holds a B.A. from Columbia University, lives in Western Massachusetts with her family and is on a never-ending quest for good Mexican food in the Northeast.