Cloudflare making headlines again, probably not the way it would prefer. From @dangoodin at Ars:
A familiar debate is once again surrounding Cloudflare, the content delivery network that provides a free service that protects websites from being taken down in denial-of-service attacks by masking their hosts: Is Cloudflare a bastion of free speech or an enabler of spam, malware delivery, harassment and the very DDoS attacks it claims to block?
Meanwhile, from Proofpoint:
Proofpoint is tracking a cluster of cybercriminal threat activity leveraging Cloudflare Tunnels to deliver malware. Specifically, the activity abuses the TryCloudflare feature that allows an attacker to create a one-time tunnel without creating an account. Tunnels are a way to remotely access data and resources that are not on the local network, like using a virtual private network (VPN) or secure shell (SSH) protocol.
First observed in February 2024, the cluster increased activity in May through July, with most campaigns leading to Xworm, a remote access trojan (RAT), in recent months.
Campaign message volumes range from hundreds to tens of thousands of messages impacting dozens to thousands of organizations globally. In addition to English, researchers observed French, Spanish, and German language lures. Xworm, AsyncRAT, and VenomRAT campaigns are often higher volume than campaigns delivering Remcos or GuLoader. Lure themes vary, but typically include business-relevant topics like invoices, document requests, package deliveries, and taxes.
For what it's worth, I've always been confused by Cloudflare's official position on abuse, which is that they are not a hosting provider, but rather a pass-through, so it's not up to them to be arbiters of what's fine and not so fine.
But if you think about it, by that definition Cloudflare is the world's largest proxy network. Probably they don't use this term to describe their business because proxy providers are -- at least historically -- somewhat strongly associated with abuse.
Either way, if Cloudflare decides to stop proxying traffic for a particular customer, they are not being arbiters of free speech, as the CEO constantly claims. Because that customer's site will still be reachable. It simply won't enjoy the protection from DDoS attacks that Cloudflare offers for free.
Underneath all of these concerns, a lot of people in the security industry seem to believe that if Cloudflare were to somehow start clamping down on the rampant abuse of their services for cybercrime, then those bad actors will just move to someplace else where Western law enforcement and intelligence agencies have less visibility, like Russia's DDoS-Guard. That may be. But I say let's burn that bridge when we come to it.
@briankrebs I'm more concerned about Cloudflare being an effective MITM for HTTPS traffic.
Perhaps related to your concern, Cloudflare can't be an effective MITM if they reject the very sites which are most interesting for agencies requesting information (https://www.cloudflare.com/transparency/).
