Two reasons I conducted this research. Firstly, because we saw its use in the wild after exploitation occurred. Second, because it poses a significant risk for data exfiltration.
Many tools can be used for this effect, but the fact that the configuration can be easily modified attacker-side through the cloudflare dashboard, and only the token for the tunnel is exposed "client" - side poses a serious challenge for defenders, especially IR teams conducting post-breach forensics.
Many tools can be used for this effect, but the fact that the configuration can be easily modified attacker-side through the cloudflare dashboard, and only the token for the tunnel is exposed "client" - side poses a serious challenge for defenders, especially IR teams conducting post-breach forensics.