The times where malicious software was served from a sketchy .ru domain or a naked IP address located at some bullet-proof hosting provider are long gone. The threat actors use the same infra as everyone else - GCP, AWS, Azure, Cloudflare, etc.
They also use the same VPNs for connecting to your machines as your grandparents do for watching Netflix.
The internet as a whole is slowly but steadily moving towards a model where IP addresses and domain names are not useful indicators for security. You can not block your users from visiting Cloudflare or AWS IP ranges and you can not block visitors to your site from major commercial VPN providers.
In addition, all the traffic is encrypted, name lookups are encrypted, so a network operator can not tell anything about what you are doing on the internet.
This is a good thing for multiple reasons. First, it improves privacy and anonymity for the internet users. Second, reducing the effectiveness of network security solutions will make us be able to phase out their usage, which makes the network dumb again and prevents ossification. And third, it forces us to tackle the underlying security issues, rather than supporting a whole industry of ineffective whack-a-mole.
Getting a bit tired of these headlines about malware "delivery" via link shorteners or similar. Yeah, guess what - people can host files on the internet in various ways, what a shocker.
I actually wrote about malicious use of this very tool a year ago[0] (almost to the day). The only thing new here seems to be what they’re doing through the tunnels, and the apparent success they’re having with this method for it to increase as a proportion of their overall attack techniques.
TryCloudflare, IMO, is the real problem here. It doesn’t require an account at all, so attribution becomes nearly impossible.
Isn't this what happens to every free quick tunnel product? Was kinda just waiting for this to play out. ngrok had nice zero friction tunneling when it came out but then they had to put everything behind a sign-up flow due to the same sort of abuse.
peanut-walrus ·88 days ago
They also use the same VPNs for connecting to your machines as your grandparents do for watching Netflix.
The internet as a whole is slowly but steadily moving towards a model where IP addresses and domain names are not useful indicators for security. You can not block your users from visiting Cloudflare or AWS IP ranges and you can not block visitors to your site from major commercial VPN providers.
In addition, all the traffic is encrypted, name lookups are encrypted, so a network operator can not tell anything about what you are doing on the internet.
This is a good thing for multiple reasons. First, it improves privacy and anonymity for the internet users. Second, reducing the effectiveness of network security solutions will make us be able to phase out their usage, which makes the network dumb again and prevents ossification. And third, it forces us to tackle the underlying security issues, rather than supporting a whole industry of ineffective whack-a-mole.
Show replies
PhilipRoman ·88 days ago
Show replies
neodymiumphish ·88 days ago
TryCloudflare, IMO, is the real problem here. It doesn’t require an account at all, so attribution becomes nearly impossible.
0: https://www.guidepointsecurity.com/blog/tunnel-vision-cloudf...
lemax ·88 days ago
Show replies
sebstefan ·88 days ago
This isn't news worthy