{
	"id": "c9525d80-6ab8-40a1-8af7-10c15ef60234",
	"created_at": "2026-04-06T00:21:32.728639Z",
	"updated_at": "2026-04-10T03:21:18.41974Z",
	"deleted_at": null,
	"sha1_hash": "a472359f0c74fe331c7a8b2b572e5ac68371aec3",
	"title": "How Cybercriminals Abuse Cloud Tunneling Services",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 5174815,
	"plain_text": "How Cybercriminals Abuse Cloud Tunneling Services\r\nArchived: 2026-04-05 13:37:44 UTC\r\nBy Ryan Flores, Stephen Hilt, Lord Remorin\r\nCloud tunneling services, which allow users to expose internal systems from their homes or businesses to the internet by\r\nrelaying the traffic through cloud-based systems, have grown in use over the past few years. Unfortunately, as with any kind\r\nof service that helps developers and infrastructure administrators, cybercriminals have been abusing these services for\r\nvarious illicit operations.\r\nLegitimate cloud tunneling services are beneficial to a wide range of people, from home users to large-enterprise employees.\r\nThey are also commonly used to help developers test and deploy code, and to share services with select people and groups\r\non the internet. The use cases for these services range from small-scale, such as playing local games with friends, to\r\nindustrial-scale, including testing out large systems on the internet before pushing the code to production. Malicious actors,\r\non the other hand, have their own method of using these services: They employ cloud tunneling to mask their real locations\r\nas well as for short-lived purposes, so they do not deploy permanent online infrastructure. \r\nIn this article, we describe the legitimate uses of cloud tunneling services for enterprises and contrast them with how\r\ncybercriminals abuse these services. We also delve into security implementations intended to help users completely block\r\ncloud tunneling, or as an alternative, since some might be using these services, to best gauge and monitor the potential risk\r\nthat using cloud tunneling services could bring. We also take a look at defense strategies that involve the detection of both\r\nauthorized and unauthorized use of cloud tunneling services, including any potential attempt to bypass corporate restrictions\r\nby cybercriminals or rogue employees.\r\n01\r\nAn Overview of Cloud Tunneling Services\r\n02\r\nTesting Methodology\r\n03\r\nPossible Malicious Uses of ngrok and Other Cloud Tunneling Services\r\n04\r\nDefense Measures\r\n05\r\nConclusion\r\n06\r\nAppendix\r\nAn Overview of Cloud Tunneling Services\r\nA tunneling service is used to expose a service through a cloud system so as to obscure the original source, whether for short\r\nor long periods. This is done typically because the service is behind a security system or the user wants to limit who has\r\naccess to the original source. A tunneling service is a useful tool for users who want to expose only a specific portion of the\r\nservice online. The use of tunneling is not limited to large systems in a corporate environment; it can also be used in smaller,\r\nmore personal projects. During our research into tunneling systems, we observed it being implemented in a variety of online\r\nhttps://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/how-cybercriminals-abuse-cloud-tunneling-services\r\nPage 1 of 25\n\nsystems, including login pages, security tools, chat platforms, video recording systems — such as IP cameras, network video\r\nrecorders (NVRs), and video management systems (VMSs) — and even game servers.\r\nBefore we discuss how cloud tunneling services are being used for malicious purposes, we must first understand how these\r\nservices are used legitimately within the network. The primary benefit of cloud tunneling services is as a user-friendly tool\r\nfor exposing services to the internet. With these services, users can quickly deploy local development services online while\r\navoiding the hassle of configuring firewalls and registering domain names.\r\nA developer who needs to test their web applications online can simply run their service and configure a tunnel to\r\ncircumvent any firewall configuration — even when the development server is running behind network address translation\r\n(NAT). We have seen a popular cloud tunneling service, ngrok, being used to expose the staging environment of a\r\nBroadVoiceopen on a new tab service used for VoIP applications. In this scenario, a tunnel enables the development team to\r\nsafely perform third-party integration testing and provides the team the ability to sort out any issues before deploying the\r\napp or service into production.\r\nUsing a tunnel can be very convenient for a home user who either is anxious about modifying the port forwarding rules on\r\ntheir router or has restricted access to their router’s configuration because of internet service provider limitations. The user\r\ncan install the service they want to run and simply use a tunnel application for clients to connect through the internet. Some\r\nservices even suggest using tunnels in their tutorials. For example, Rocket.Chat’s installation guideopen on a new tab on\r\nGithub suggests using ngrok as an option for sharing the chat server online.\r\nopen on a new tab\r\nFigure 1. Rocket.Chat’s installation guide suggesting the use of ngrok\r\nIn addition to chat platforms, we have also seen ngrok being used for home automation applications like Home Assistant,\r\nHomebridge, and OpenHAB. For DIY users who want to install video monitoring or surveillance in their homes, Blue Iris is\r\na popular choice among VMS applications and provides tutorials on its forum on how to use ngrok to easily access its web\r\nportal and perform monitoring away from the home network.\r\nhttps://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/how-cybercriminals-abuse-cloud-tunneling-services\r\nPage 2 of 25\n\nopen on a new tab\r\nhttps://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/how-cybercriminals-abuse-cloud-tunneling-services\r\nPage 3 of 25\n\nopen on a new tab\r\nFigure 2. Screenshots of the login pages of Home Assistant (top) and Blue Iris (bottom)\r\nAside from developers and home users, we have also seen ngrok being used by e-commerce businesses in some parts of\r\nAsia. A good example of this is the web panel for administrative access for coin-operated Wi-Fi network access in the\r\nPhilippines. In this example, the machines act as a gateway for selling internet access via Wi-Fi that is paid by the minute.\r\nThe management of these machines can be done locally, but since it involves managing multiple machines from various\r\nlocations, administrators can simplify this by using tunneling services for access.\r\nhttps://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/how-cybercriminals-abuse-cloud-tunneling-services\r\nPage 4 of 25\n\nopen on a new tab\r\nFigure 3. A screenshot of the web panel for coin-operated Wi-Fi access\r\nYet another use of ngrok we have commonly observed is for hosting local game servers on the internet. Games that have\r\nlocally hosted servers, like Minecraft and Foundry Virtual Tabletop, frequently popped up while we were investigating\r\nngrok traffic. Employees can deploy local game servers from their home networks and host them on ngrok to be accessed on\r\na corporate network. For organizations that restrict access to gaming servers, it is an added challenge to identify gaming-related network traffic.\r\nopen on a new tab\r\nhttps://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/how-cybercriminals-abuse-cloud-tunneling-services\r\nPage 5 of 25\n\nopen on a new tab\r\nFigure 4. Servers for Minecraft (top) and Foundry Virtual Tabletop (bottom) hosted on ngrok\r\nTesting Methodology\r\nWhile looking at a few cloud tunneling services, we determined that the primary application we would focus on would be\r\nngrokopen on a new tab because of its overwhelmingly large market share that emerged in our datasets, roughly 99% of the\r\nHTTP traffic of cloud tunneling services. The other cloud tunneling services we considered were localhost.runopen on a new\r\ntab, PageKiteopen on a new tab, Localtunnel, Serveoopen on a new tab, and Packetriotopen on a new tab. While these\r\nservices could be used by malicious actors in the same manner, this paper focuses on ngrok as our use case.\r\nopen on a new tab\r\nFigure 5. The distribution of HTTP traffic for cloud tunneling services based on our datasets in 2021 (in terms of how many\r\ntimes data was sent over HTTP)\r\nhttps://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/how-cybercriminals-abuse-cloud-tunneling-services\r\nPage 6 of 25\n\nopen on a new tab\r\nFigure 6. An overview of how ngrok worksopen on a new tab\r\nNot all of the services use the same back-end implementation, but the concepts of how they operate are the same. For ngrok,\r\nthe user downloads a binary, for Windows, macOS, or Linux.\r\nThe ngrok platform offers three account levels:\r\nFree use that does not require an account\r\nA free account with limited features\r\nA paid account with extra features that can cost up to US$25 a month\r\nInitially, we chose a free account and went right to setting it up. After downloading the binary, we needed an authtoken to\r\nhave access to more features.\r\nopen on a new tab\r\nhttps://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/how-cybercriminals-abuse-cloud-tunneling-services\r\nPage 7 of 25\n\nFigure 7. A screenshot of the ngrok website\r\nTo test the application, we set up a Rocket.Chat server and pointed ngrok to port 3000, which is the port we used for our\r\nRocket.Chat install.\r\nopen on a new tab\r\nFigure 8. Building the tunnel up with the ngrok command\r\nThe way ngrok works is based on the type of account, and whether the TCP or HTTP options are being used. When we\r\nstarted this research using the ngrok HTTP URLs, we included the computed subdomain to ngrok.io in the URL to point the\r\nbrowser to the HTTP-type connections.\r\nBased on our observations, the subdomain contained 12 characters, either with or without hyphens based on when it was\r\ngenerated. A newer generated subdomain contains hyphens (specifically, separating the IP address of the machine that is\r\nrunning ngrok) and starts with a 4-byte hex word. On a higher-tier paid account, the user can use a custom subdomain that\r\ncan contain, for example, their organization’s name or another important aspect of the company or service they are trying to\r\nexpose. If the user is not careful, they could expose their internet point of presence to an attacker. At the same time, an\r\nattacker could also have their real IP address exposed.\r\nAn attacker could perform some basic open-source intelligence (OSINT) to find the target domain. Examples of this include\r\nsearching GitHub for code that might point to cloud tunneling services and using the search strings “site:victim.com” and\r\n“ngrok.io” on Google. Furthermore, if the TCP option is in use, instead of the 12-character subdomain, the host number\r\nappears as the subdomain along with a randomly assigned port. An example of this would be 4[.]tcp.ngrok.io:10667.\r\nhttps://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/how-cybercriminals-abuse-cloud-tunneling-services\r\nPage 8 of 25\n\nopen on a new tab\r\nFigure 9. A Rocket.Chat example used for testing purposes\r\nAs expected, the service was exposed and a user could log in and use the system as if locally connected. Based on some\r\ntesting, we discovered that the system running the ngrok tunneling service would communicate only with ngrok’s servers via\r\nan encrypted SSL tunnel over port 443, while the client machine would interact with the URL that was provided.\r\nInterestingly, ngrok provides an HTTPS option using a valid certificate that is wild-carded for *.ngrok.io.\r\nopen on a new tab\r\nFigure 10. A screenshot of the certificate information used by ngrok.io for HTTPS\r\nOne characteristic we discovered while looking into how the ngrok service works was that it is persistent in trying to build\r\nthe tunnel from the machine running ngrok. It first tries to connect to tunnel.REGION.ngrok.com, and if that fails, it tries to\r\nconnect to equinox.io to look for an update. It then tries to connect to dns.google.com to look up ngrok.com’s IP addresses\r\nand, finally, if that fails, it pulls a JSON file from s3.amazonaws.com, hosted on Amazon Simple Storage Service (S3).\r\nhttps://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/how-cybercriminals-abuse-cloud-tunneling-services\r\nPage 9 of 25\n\nopen on a new tab\r\nFigure 11. A screenshot of dns.google.com looking up tunnel.us.ngrok.com\r\nopen on a new tab\r\nFigure 12. A JSON file hosted on an Amazon S3 bucket with the IP addresses of tunnel.REGION.ngrok.com\r\nopen on a new tab\r\nFigure 13. A diagram of how ngrok tunnels are built and how clients interact with them\r\nPossible Malicious Uses of ngrok and Other Cloud Tunneling Services\r\nhttps://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/how-cybercriminals-abuse-cloud-tunneling-services\r\nPage 10 of 25\n\nAs with any other online platform, malicious actors could take advantage of ngrok and other cloud tunneling services, and\r\nuse them for malicious purposes. Services like ngrok and Tor could be used by cybercriminals to hide their true IP addresses.\r\nHowever, the difference between ngrok and Tor is that services tunneled through ngrok are still accessible via the regular\r\ninternet while services tunneled through Tor can be accessed only through Tor. This can be a deciding factor for a\r\ncybercriminal when choosing a target network, as they might prefer one with wider access over a network that can be\r\naccessed only via Tor.\r\nDuring our research, we categorized cloud tunneling service abuse into two malicious use cases: internal threats and external\r\nthreats. Internal threats are attacks where cloud tunneling services are unknowingly used on an infected endpoint or network\r\nto expose internal services like SMB, FTP, and HTTP, while external threats are the more typical cyberattacks such as\r\nphishing, drive-by download, and malware command-and-control (C\u0026C) communication through the cloud tunnel network.\r\nAspect Internal threats External threats\r\nAttacker already present in target machine\r\nor network\r\nYes No\r\nCloud tunneling service binary execution\r\nServer is running in a machine on corporate\r\nnetwork\r\nServer is running\r\nremotely\r\nPossible tactics, techniques, and\r\nprocedures (TTPs)\r\nLateral movement\r\nData exfiltration\r\nMalware file\r\nhosting\r\nMalware C\u0026C\r\nserver\r\nPhishing scams\r\nExploit kits\r\nTable 1. A comparison of internal and external cloud tunneling service threats\r\nInternal Threats\r\nA cloud tunneling service could be used maliciously on a target machine or network to unknowingly expose nonpublic\r\nservices to the internet. These services could be anything that is accessible from the machine the cloud tunneling service is\r\nexecuted on, such as internal web applications, database servers, and file-sharing services.\r\nCybercriminals and insider threats such as rogue employees could easily expose company-restricted services that are meant\r\nto be accessible only on the intranet without having to deal with router configurations. Attackers with access to\r\ncompromised servers could also host services like web servers and malware C\u0026C servers for nefarious activities.\r\nIn July 2020, we discovered an attack that exposed an SMB port using ngrokopen on a new tab. After exposing the service,\r\nthe attacker used tools like SmbExec to run a local Windows shell on the infected machine, and then downloaded and\r\nexecuted a keylogger. This incident shows that a legitimate application used for tunneling services could be misused. And\r\nsince the network traffic while establishing a tunnel to ngrok’s servers is normally seen on DevOps networks, a malicious\r\nactor could mask its network activity and avoid its being flagged as malicious.\r\nThe data exfiltration capabilities of ngrok include a built-in feature to host a local directory straight to the internetopen on a\r\nnew tab without starting a file-hosting service on the affected machine.\r\nExternal Threats\r\nWhile we have seen cloud tunneling services being used to bypass the firewall rules set up by network administrators to\r\nexpose internal services, a far more common use of the service by cybercriminals is for malware traffic or for hosting\r\nhttps://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/how-cybercriminals-abuse-cloud-tunneling-services\r\nPage 11 of 25\n\nphishing websites. For malicious actors using malware that requires communicating back to a C\u0026C server, using cloud\r\ntunneling services could be advantageous because of the ease with which users can set up infrastructure. In addition,\r\nmalicious actors using paid plans could also hide their true IP addresses via custom reserved subdomains. Thus, they could\r\navoid registering domains and setting up SSL certificates, which, if not done properly, could lead to identity exposure\r\nthrough an OSINT investigation.\r\nTutorials on sites like YouTube and GitHub also contribute to the growing popularity of cloud tunneling services for\r\nexposing services to the internet. There are a good number of tutorials on YouTube that show cloud tunneling services being\r\nused for malicious purposes, such as setting up a remote administration tool (RAT) C\u0026C server or an HTTP server for\r\nhosting a phishing page. We believe that these tutorials cater to the more entry-level cybercriminals who are looking to\r\ndeploy RATs for their own use.\r\nAs of this research, the most common malicious use of cloud tunneling services is for setting up phishing pages and\r\nmalware C\u0026C servers. We discuss these further in the following subsections. It is important to note, however, that these are\r\njust the most common and there are other malicious use cases, such as using ngrok for hosting malware binaries or exploit\r\nkits.\r\nOne example of ngrok’s being used in an attack occurred in 2019, when the threat actors behind the Lord Exploit Kitopen on\r\na new tab (not connected with one of the authors of this research) used the service to host its web server. Initially, they used\r\nit to deliver the njRAT malware, before eventually expanding its use to the distribution of the Eris ransomwarenews-cybercrime-and-digital-threats. During this campaign, the random generation of subdomains by ngrok became an advantage\r\nto the threat actors running the exploit kit.\r\nPhishing\r\nPenetration-testing tools such as SocialFishopen on a new tab have integrated cloud tunneling services into their phishing\r\ntoolkits (specifically, version 2 for SocialFish, which, unlike the latest versions, has ngrok integrated). With such toolkits,\r\npenetration testers and red teamers, as well as cybercriminals, could not only create phishing pages with just a few\r\nkeystrokes, but also generate working cloud tunneling service URLs that could be immediately sent out via email, chat apps,\r\nand a variety of other methods. This makes it very convenient for would-be phishersopen on a new tab, as they would not\r\neven need to register any domain name, deal with any web hosting service, or go through the trouble of hacking web servers\r\nand hosting the phishing page there.\r\nopen on a new tab\r\nFigure 14. The Social Fish website offering an older version with ngrok integrated\r\nThe most popular phishing kits we found were targeting users of Instagram, Facebook, Bank of America, Gmail, Paypal,\r\nNetflix, and Dropbox. We also found phishing kits for ANZ, Bank of Colombia, Chase Bank, and Banco de la Nación\r\nArgentina. However, the latter phishing kits were smaller in volume than the former group.\r\nhttps://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/how-cybercriminals-abuse-cloud-tunneling-services\r\nPage 12 of 25\n\nopen on a new tab\r\nopen on a new tab\r\nFigure 15. The open directories of phishing pages targeting users of Adobe (top) and AOL (bottom)\r\nhttps://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/how-cybercriminals-abuse-cloud-tunneling-services\r\nPage 13 of 25\n\nopen on a new tab\r\nFigure 16. A sample Instagram phishing page found in ngrok URLs\r\nopen on a new tab\r\nFigure 17. The distribution of phishing kits according to volume (in terms of how many times data was sent over HTTP)\r\nNormally, phishing kits abuse web hosting services or are hosted on compromised sites and typo-squatting sites. Tunneling\r\nservices have been gaining popularity among malicious actors since they provide a convenient alternative for hosting\r\nphishing pages.\r\nhttps://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/how-cybercriminals-abuse-cloud-tunneling-services\r\nPage 14 of 25\n\nOne reason phishing pages that use cloud tunneling services could be dangerously deceptive is that if a user is sent, say, an\r\nngrok-based phishing URL, there is a high chance that the recipient would assume that it is a legitimate site, since they can\r\nvisit the HTTPS version and get a valid signature from ngrok.\r\nOver the years, people have been trained to view the lock icon in their browsers as a guarantee that the websites they are\r\nvisiting are secure. In this case, there is a valid certificate for the domain, which in turn might lead to higher victim counts\r\nfor a phishing campaign. Furthermore, if they are using a paid ngrok subscription, for example, attackers could use a\r\nsubdomain similar to the one they are mimicking to add authenticity to their phishing campaign.\r\nopen on a new tab\r\nFigure 18. A comparison of a legitimate page (left) and a phishing page (right) for PayTickr logins\r\nMalware Command-and-Control Servers\r\nIn the cybercriminal underground, there is plenty of discussion surrounding cloud tunneling services, particularly ngrok, and\r\nhow they could be abused for malicious purposes. When we started this research, we browsed underground forums and\r\nfound plenty of examples, from developing or hosting malware to tutorials on making phishing sites using cloud tunneling\r\nservices.\r\nopen on a new tab\r\nFigure 19. A screenshot from a thread on Hack Forums on how to install the DarkComet RAT using ngrok\r\nhttps://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/how-cybercriminals-abuse-cloud-tunneling-services\r\nPage 15 of 25\n\nopen on a new tab\r\nFigure 20. A screenshot from a discussion on ngrok and phishing\r\nThe discussions in the underground match what we have observed as the main form of abuse of cloud tunneling services,\r\nsuch as for phishing and for tracking avoidance. Cybercriminals are paying attention to cloud tunneling services as they\r\nattempt to hide themselves from their victims by tunneling communications through the services’ systems.\r\nMalicious actors could hide their true identities by not exposing any IP addresses or domain name registrations. By using\r\ncloud tunneling services, they could make the network traffic of their malware look as though it were being used for\r\nlegitimate purposes, making it seem that the target’s network is communicating with clean IP addresses and domains. For\r\nthis reason, we have seen an increase in commodity malware families (which are commonly used by entry-level\r\ncybercriminals) that use cloud tunneling services to expose their C\u0026C servers. One popular example is DarkCometopen on a\r\nnew tab, which has had C\u0026C servers hiding behind ngrok’s network.\r\nopen on a new tab\r\nFigure 21. DarkComet being hosted on one of ngrok’s TCP ports\r\nhttps://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/how-cybercriminals-abuse-cloud-tunneling-services\r\nPage 16 of 25\n\nThe use of ngrok with malware has been rising since 2020. From Jan. 1 to Dec. 31, 2021, we found nearly 16,000 unique\r\nmalware samples that used ngrok to route C\u0026C traffic. Malware families such as DarkComet, AsyncRAT, NanoCore, and\r\nseveral keylogger families were among the most recurring samples we found that used ngrok, with njRAT as the top\r\nmalware family. The reason these specific malware families have been commonly used is that they are easily downloadable\r\nand the instructions on how to configure them are widely available.\r\nopen on a new tab\r\nFigure 22. A comparison of the numbers of malware files using ngrok from 2016 to 2021\r\nhttps://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/how-cybercriminals-abuse-cloud-tunneling-services\r\nPage 17 of 25\n\nopen on a new tab\r\nFigure 23. The distribution of malware families using ngrok as part of their routines in 2021\r\nopen on a new tab\r\nhttps://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/how-cybercriminals-abuse-cloud-tunneling-services\r\nPage 18 of 25\n\nFigure 24. An njRAT configuration containing ngrok TCP tunnels as C\u0026C host\r\nPenetration testers also take advantage of services like ngrok to prevent being detected on the network, whether through\r\nhosting malware or using it as a C\u0026C server. It is not just commodity malware families (like the ones mentioned in the\r\nprevious paragraph) that use such services; penetration-testing tools commonly used by both penetration testers and\r\ncybercriminals, such as Cobalt Strike and Meterpreter binaries, do as well.\r\nDefense Measures\r\nAs with any tool or service that could be exploited for malicious purposes, ngrok and other cloud tunneling services have\r\ntheir own set of advantages and disadvantages. In their case, the advantages stem from the afforded convenience of setting\r\nup a private server and hosting it on the internet. But this convenience is a double-edged sword since it could also be\r\nbeneficial to attackers who want to integrate these services into their schemes.\r\nIn this section, we list several defense measures network administrators can implement to prevent the abuse of ngrok and\r\nother cloud tunneling services on their networks.\r\nManaging the Access of Certain Users to Cloud Tunneling Services\r\nFor some businesses that have cloud tunneling services as an essential part of their operations, access should be limited only\r\nto users who need these services. Doing this can prevent attackers who gain access to the network from using the services\r\nfor C\u0026C, data exfiltration, or other malicious purposes. Employees with access to these tunneling services should be\r\nregularly checked and logged for access to these services to ensure that their access is being used for approved purposes as\r\ndefined by the organization.\r\nWith unlimited access, network administrators could often be blindsided as to what services are exposed since almost\r\nanyone from the company can simply start a tunnel to access systems that are meant to be accessed only from internal\r\nnetworks. For large organizations, it might be better from a security standpoint to prevent employees from using cloud\r\ntunneling to expose services to the internet, and to use a virtual private network (VPN) instead to connect to the intranet.\r\nCreating Application Filters\r\nStopping the installation of specific binaries for cloud tunnels and adding alerts when they are present on a machine can help\r\nminimize the risk of unintended use of these services on the network.\r\nPreventing the Creation of Tunnels Using Cloud Tunneling Services’ IP Addresses\r\nNetwork administrators can block SSL handshake to prevent establishing a secured tunnel between a host machine and a\r\ncloud tunneling service’s server. In the case of ngrok, this can also be accomplished by blocking all connections going to\r\nngrok’s IP addresses listed in the JSON file hosted on Amazon S3open on a new tab. A Bash command can be executed to\r\nlist all of the IP addresses associated with ngrok that are being used to establish a tunnel, and another to create firewall rules\r\nfor dropping outgoing connections to ngrok tunnels.\r\nopen on a\r\nnew tab\r\nFigure 25. The Bash command to list all IP addresses associated with ngrok that are being used to establish a tunnel\r\nopen on a\r\nnew tab\r\nFigure 26. The Bash command to create firewall rules for dropping outgoing connections to ngrok tunnels\r\nSince ngrok implements multiple methods of resolving the IP address of a tunnel, blocking the IP addresses can prove more\r\neffective at preventing the successful creation of a secured tunnel. The list of IP addresses changes over time and thus should\r\nbe checked regularly to be able to block them while minimizing the interruption of other services that might be hosted on\r\nthese IP addresses.\r\nhttps://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/how-cybercriminals-abuse-cloud-tunneling-services\r\nPage 19 of 25\n\nopen on a\r\nnew tab\r\nFigure 27. IP addresses used by ngrok\r\nCreating Alerts for or Blocking External Threats Using Cloud Tunneling Services\r\nAs discussed earlier, phishing kits and C\u0026C servers could be tunneled through services like ngrok. The risk of a successful\r\nphishing attempt or malware communication can be reduced by preventing network traffic (HTTP and TCP connections)\r\ncoming from cloud tunneling services. In ngrok’s case, this can be achieved by creating alerts for or blocking the following:\r\nDNS requests to *.ngrok.io (see Appendix for snort rules)\r\nHTTPS TLS connections going to *.ngrok.io\r\nRegularly Monitoring for Updates to Exposed Services\r\nThe fact that a service is hosted on the internet, regardless of whether it was port-forwarded through the router or via cloud\r\ntunnels, could increase the attack footprint of an organization. For example, although ngrok’s ability to generate random\r\nsubdomains to tunnel web servers (HTTP and HTTPS) can help prevent attackers from blindly guessing the information of\r\ntheir victims, this might not be the case if the webpage is permanently hosted and the user decides to reserve a fixed\r\nsubdomain for use. Developers who are testing web servers that are integrated to an application (such as an Android APK\r\nfile or a Windows application) typically use fixed subdomains to avoid the hassle of recompiling just to test the new servers.\r\nThe same goes for TCP tunnels with ngrok. Even though ngrok provides a random tunnel and random port to use for free,\r\nthe tunnel and port number are limited in range. Thus, an attacker could simply scan the tunnels with a specified range of\r\nports to identify the services that are running behind ngrok.\r\nKeeping everything updated reduces the attack surface that cybercriminals could exploit. This also applies to home users,\r\nincluding gamers who use cloud tunneling services to expose game servers.\r\nBest Practices Against ngrok Abuse\r\nWe contacted ngrok to let the platform know of our findings from this research. In response, ngrok stated that it applies “a\r\nmulti-pronged strategy of real-time monitoring, account monitoring, and third-party reporting to detect, isolate, and remove\r\nmalicious content from our service as quickly as possible.”\r\nTo prevent malicious activities that abuse its platform, ngrok has implemented certain security enhancementsopen on a new\r\ntab, which have been available on versions 2 and 3 of ngrok since April 13, 2022, to users with paid accounts. One of these\r\nis its disabling of users’ ability to serve HTML content anonymously, that is, all users must register with a confirmed email\r\non file. As an ongoing practice, ngrok also has all free accounts have the origin IP address embedded both in the HTTP\r\nheaders in the response and in the tunnel URL itself. And because attackers are continuously innovating, ngrok provides an\r\nabuse reporting APIopen on a new tab to allow trusted third parties to integrate abuse reporting into their own detection\r\nprocesses.\r\nhttps://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/how-cybercriminals-abuse-cloud-tunneling-services\r\nPage 20 of 25\n\nWithin enterprises, ngrok recommends that IT and security personnel block all *.ngrok.io traffic and use custom ingressopen\r\non a new tab to create their own named ngrok entry points, such as developername.tunnel.company.com. This eliminates\r\npersonal ngrok accounts from the network while allowing centralized policy management across all connections. \r\nOutside enterprises, ngrok recommends that organizations and their security teams use their own domainopen on a new tab,\r\nsuch as tunnel.company.com, to standardize URLs across external systems and apply their own TLS certificate to the traffic.\r\nThis creates consistent, predictable naming and makes end-to-end encryption the default. In addition, they can add OAuth\r\n2.0 or OpenID Connectopen on a new tab powered by their identity provider to limit ngrok access to authenticated and\r\nauthorized.\r\nThe ngrok management layer also enables security teams to tune their organizations’ security postures. Ngrok supports IP\r\nrestrictionsopen on a new tab on any portion of its service — the agent, tunnel access, the dashboard, and even the API — to\r\nlimit access to known good IP ranges. The entire ngrok platform implements observability through event subscriptionsopen\r\non a new tab to integrate into security information and event management (SIEM) for near-real-time insight across the entire\r\nplatform. Finally, security teams can push over-the-wire updates to keep all ngrok agents synchronized.\r\nConclusion\r\nCloud tunneling services provide users a very convenient way to expose systems, applications, and services to the internet\r\nwithout going through the trouble of configuring routers, firewalls, web hosting, and domain registration. It is no surprise\r\nthat the accessibility they afford appeals to development teams and other users, such as technically inclined gamers and\r\nhome automation enthusiasts.\r\nHowever, new technologies, especially those that involve exposing services and machines to remote access, need to be\r\nscrutinized for potential security implications.  While convenient, tunneling services circumvent traditional network security\r\nmechanisms, which might enable rogue or disgruntled employees to open a backdoor into the network. Similarly, well-meaning but security-unaware employees might also inadvertently expose critical systems to attackers through unattended\r\ntunnel instances.\r\nMalware and phishing attacks using cloud tunneling services, particularly ngrok, have seen a dramatic increase over the past\r\ntwo years. A disadvantage defenders face with regard to cloud tunneling services is that these services make identifying\r\nmalicious network traffic more difficult for network security teams. Traditional network scanning technologies such as\r\nintrusion detection systems (IDSs) and intrusion prevention systems (IPSs) would not be able to flag malicious C\u0026C\r\ncommunication if encapsulated through cloud tunnels. Incident responders would have a difficult time validating exploit and\r\nphishing pages hosted on cloud tunneling services because of their transient nature.\r\nWhile cloud tunneling services have their place, CIOs, CISOs, and cybersecurity personnel should take into consideration\r\nthe various risks presented by these services and formulate usage policies applicable to their organizations. Some\r\norganizations can outright ban the use of these services, especially in the case of businesses that do not really need them. But\r\nothers, especially those in the middle of digitizing or integrating their systems, might not be able to stop the use of cloud\r\ntunnels without hindering ongoing system development and integration projects.\r\nFor an organization that needs cloud tunnels, a sit-down meeting between the security team and the development team is a\r\nmust. The development team must define the exact use case it has for cloud tunnels and lay out the scope and time frame\r\nwhen these services are to be used. This gives the security team proper context to identify whether specific cloud tunneling\r\ntraffic is valid or not. The security team can also suggest alternatives, such as providing a test network where cloud\r\ntunneling traffic can be safely allowed or obtaining paid accounts or subscriptions on cloud tunneling services to enable all\r\navailable security-oriented features.\r\nSecurity works best when all stakeholders understand what is at stake. By highlighting the risks of cloud tunnels and the\r\nactual use and abuse of these services by malicious actors, cybersecurity and software development teams can put the use of\r\ncloud tunnels in their agenda in order to find a suitable arrangement that will minimize risks while allowing the development\r\nteams to continue their work.\r\nAppendix\r\nAnalyzed Malware SHA-256\r\nhttps://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/how-cybercriminals-abuse-cloud-tunneling-services\r\nPage 21 of 25\n\nSHA-256\r\nMalware\r\nfamily\r\n Detection name\r\n04c584f7dc1c1fa978f59cc966a0664589e7709a7f79b888614e14ef48309e7d AsyncRAT Backdoor.MSIL.ASYNCRAT.AZ\r\n116a1bf0810fec723298377ec6b57bd5328d74ba5e3397545e86311873f9e677 AsyncRAT Backdoor.MSIL.ASYNCRAT.AZ\r\n22ab0a3460b348696d7df493c57c26240b1f72fc5bc06751dce6c300f371698f AsyncRAT Backdoor.MSIL.ASYNCRAT.AZ\r\n30b7bf839fabec042c362ae8306b7b699911e8e712494a8d5a5a064db4a3a4ed AsyncRAT Backdoor.MSIL.ASYNCRAT.AZ\r\n525c8a4537286abee8f7aa7319d7c65a05452291dee486991f97e06ae3e1332c AsyncRAT Backdoor.MSIL.ASYNCRAT.AZ\r\n949ab25990b3bf6677eea51b09839b2fd36ffea939565f449b9c6d4f3d0c138a AsyncRAT Backdoor.MSIL.ASYNCRAT.AZ\r\n97416fca437cfbe1d5e0a3cdcb7a47db4cbc05e97cfc861868d066f78a76b07d AsyncRAT Backdoor.MSIL.ASYNCRAT.AZ\r\nb5ae89b1f057505f02b7d12f37524acb1b91d11b598dcbdc956f7167dc745fe9 AsyncRAT Backdoor.MSIL.ASYNCRAT.AZ\r\ne2d1ea986b91e056594a326abc4cf9a76f7094ff8528b66e594c6a6ca57a98c7 AsyncRAT Backdoor.MSIL.ASYNCRAT.AZ\r\nf5db1c44a4eb1b56114323c2645ca3e56614e1bedc0a89e70fc912388b7c485c AsyncRAT Backdoor.MSIL.ASYNCRAT.AZ\r\n4ebceaccaf39fffdd849815fcc75cf85d8cd3326c83220323e331582790233c6\r\nCobalt\r\nStrike\r\nTrojan.Win32.COBALT.SM\r\nc24fad806575b49a6f6f885f3e57c711f319174bcdeedbf70f2cc4aa65bbfc65\r\nCobalt\r\nStrike\r\nTrojan.Win32.COBALT.SM\r\nd1963148b49a5e651aca0a78fa848a3a9950f21c0cc586c13eca4eef352bbddb\r\nCobalt\r\nStrike\r\nTrojan.Win32.COBALT.SM\r\n12b8cb4e6421f2031d619717b0c6d2b4aec205a7270cad493297764970eb5fb7 DarkComet BKDR_FYNLOS.SMM\r\n2d1747b4b841eb10e54300f387e1bb1d10911fde626179c5b4a7b61e1c850b3a DarkComet BKDR_FYNLOS.SMM\r\n35de1d0c1b59bb9099796866c86e7722e273f38d6794ad3e577866d5558dfb80 DarkComet BKDR_FYNLOS.SMM\r\nhttps://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/how-cybercriminals-abuse-cloud-tunneling-services\r\nPage 22 of 25\n\na3fe8799e6d0dc83fb57029e322a8f9c04562a18492c20e098d523c584d0a8a8 DarkComet BKDR_FYNLOS.SMM\r\nad2266bae9999b84ea79c159dfe606cb8f1c30fa2989629042b058ae351f8bf5 DarkComet BKDR_FYNLOS.SMMBKDR_FYNLO\r\nc82fe31eb056ba43d7c33295035a23952a51ef5c3b002367d7677eccf8b67cae DarkComet BKDR_FYNLOS.SMM\r\nd1f1eddacc07f799773805c971cd49d23c57c4939a09bd7a8d8aa89e580f2178 DarkComet BKDR_FYNLOS.SMM\r\ne1861f88576a3e310e3feaad7d747425b40510068541d2d4b223c483bf71493c DarkComet BKDR_FYNLOS.SMM\r\ned63fc3c0b01416f9a2126a6ebd82e10e7be526b2035890245027e4b70f4e60c DarkComet BKDR_FYNLOS.SMM\r\nf5893afcb7391969fb3d6e16f908fb5b85341d29f92403e85b4515fea2668293 DarkComet BKDR_FYNLOS.SMM\r\n27c881e3ede8be9316f4d08cad7470b3d5d7c01b63c47fb099b5b5503b169fb3\r\nMetasploit\r\nShellcode\r\nBackdoor.Win32.SWRORT.SMB\r\n8b6dda7b5c7dbcecc2072f67620194d0def87b7bacca66a2b2010b1c78081419\r\nMetasploit\r\nShellcode\r\nTrojan.Win32.METERPRETER.GAJC\r\n9427d2dbe0ae36456656136df394f56ec08381cd6d68d5f12ba126284129e155\r\nMetasploit\r\nShellcode\r\nBackdoor.Win32.SWRORT.SMB\r\nc09f1ae3f86cda5b49da24c3c6942c1edc7577644aa602074ac7a9e236b5e84b\r\nMetasploit\r\nShellcode\r\nTrojan.Win32.METERPRETER.GAJC\r\n460b09da596e354ea9e8207414b9789181a0923ef3c820f6fbf164c2255912db NanoCore BKDR_NOANCOOE.SM\r\n46336387c7356587d94318b1f439ee1c47654bf0ac84c534758996a2f4fbf666 NanoCore BKDR_NOANCOOE.SM\r\n64c79aea781eadec0c3ab32808660ecd9205b910e8c5e8b43f41b19cdef7ad66 NanoCore BKDR_NOANCOOE.SMUPS\r\n8dc26896a28c36ccc7a93b3435a42954a9325802d4e3ee0731067802ab9d6fd2 NanoCore BKDR_NOANCOOE.SM\r\nab1cd62b3fea7cff71d8b2c59515a20f612ad4c82ae470d1995dee55ed3f923e NanoCore BKDR_NOANCOOE.SM\r\nbb39887e5668ce591aba14bca153c225183f5d4b0ef5ea0f85c0855505b418d7 NanoCore BKDR_NOANCOOE.SM\r\nhttps://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/how-cybercriminals-abuse-cloud-tunneling-services\r\nPage 23 of 25\n\nd112e19d34e88c040a70367143569c965cb48dbb1fa36579838c51f8ca9ebe7c NanoCore BKDR_NOANCOOE.SM\r\ndf0dcc7475e1497ac795bc2a11136c54299221e850373726b69aceaeecf4fa3b NanoCore BKDR_NOANCOOE.SM\r\nec2c954ab2acbb52f79b2cf1f24cbf935e28575900dca2e205b22cd0e5781a16 NanoCore BKDR_NOANCOOE.SM\r\nf292c9d84f219dbc6821729b92a37b6771c3ac0f3e69f154f37a636d87b176fe NanoCore BKDR_NOANCOOE.SM\r\n264bbb47e0b55c06aaa9e558902b6389891d8d17d76ad7eec634f2e358289b81 njRAT BKDR_BLADABI.SMC\r\n2951818c48bf700f26bb64ff55a4fd190cc752ce201ed8425c7531a728c2c4dd njRAT BKDR_BLADABI.SMC\r\n2a58840511e2d1293c8ff7eb25461824ac5734f7e930cecf2af3a102ec7a82c3 njRAT BKDR_BLADABI.SMC\r\n4b44701bcc0b7d99f309c7704d4c58f3dbe4ea207d7ff915fe0aa22d9975a2d1 njRAT BKDR_BLADABI.SMC\r\n70db49695386b79dcf21ca2346ee1ebad08b1cc6e49d30839be09aec32e39e7e njRAT BKDR_BLADABI.SMC\r\n73c425fc318a0f89a9ca5794355fbb78bd595174cb3a30f871176a3a4d79601a njRAT BKDR_BLADABI.SMC\r\nc95e3799e0a9981a4a6bb6ab7c71294a2ecf836b3ca6339bbd756a70010b75ea njRAT BKDR_BLADABI.SMC\r\nd4386d967f7e50c8380c9075079590cf7a95d54dc523a50f2bf55d29f799710d njRAT BKDR_BLADABI.SMC\r\neb2966a2181e0df015b7b8e7ae2fe581b6cb505ee3456efa6b5a340edb5e5764 njRAT BKDR_BLADABI.SMC\r\nffaf0ab447bce485f4a7db970f3da1fb854c5e6b6df22327af0e02215e92f20f njRAT BKDR_BLADABI.SMC\r\nShow more\r\nNgrok DNS Alerting Snort Rules\r\nalert udp $HOME_NET any -\u003e any 53 (msg:\"ET POLICY DNS Query to a *.ngrok domain (ngrok.com)\";\r\ncontent:\"|01 00 00 01 00 00 00 00 00 00|\"; depth:10; offset:2; content:\"|05|ngrok|03|com|00|\"; fast_pattern;\r\ndistance:0; nocase; classtype:policy-violation; sid:2022641; rev:1; metadata:created_at 2016_03_23, updated_at\r\n2016_03_23;)\r\nalert udp $HOME_NET any -\u003e any 53 (msg:\"ET POLICY DNS Query to a *.ngrok domain (ngrok.io)\"; content:\"|01\r\n00 00 01 00 00 00 00 00 00|\"; depth:10; offset:2; content:\"|05|ngrok|02|io|00|\"; fast_pattern; distance:0; nocase;\r\nclasstype:policy-violation; sid:2022642; rev:1; metadata:created_at 2016_03_23, updated_at 2016_03_23;)\r\nYara Rule\r\nhttps://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/how-cybercriminals-abuse-cloud-tunneling-services\r\nPage 24 of 25\n\nimport \"cuckoo\"\r\nrule ngrok_traffic\r\n{\r\n    condition:\r\n        cuckoo.network.http_request(/https:\\/\\/.*\\.ngrok\\.io/) or\r\n        cuckoo.network.http_request(/http:\\/\\/.*\\.ngrok\\.io/) or\r\n        cuckoo.network.dns_lookup(/\\d\\.tcp\\.ngrok\\.io/)\r\n        cuckoo.network.dns_lookup(/.*\\.ngrok\\.io/)\r\n}\r\nBash Commands\r\ncurl -s https://s3.amazonaws.com/dns.ngrok.com/tunnel.json | jq -r '.[][]'\r\nfor ip in `curl -s https://s3.amazonaws.com/dns.ngrok.com/tunnel.json | jq -r '.[][]'`; do echo \"iptables -A OUTPUT -s\r\n0.0.0.0/0 -d $ip -p all -j DROP\"; done\r\nSource: https://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/how-cybercriminals-abuse-cloud-tunneling-services\r\nhttps://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/how-cybercriminals-abuse-cloud-tunneling-services\r\nPage 25 of 25",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/how-cybercriminals-abuse-cloud-tunneling-services"
	],
	"report_names": [
		"how-cybercriminals-abuse-cloud-tunneling-services"
	],
	"threat_actors": [],
	"ts_created_at": 1775434892,
	"ts_updated_at": 1775791278,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/a472359f0c74fe331c7a8b2b572e5ac68371aec3.pdf",
		"text": "https://archive.orkl.eu/a472359f0c74fe331c7a8b2b572e5ac68371aec3.txt",
		"img": "https://archive.orkl.eu/a472359f0c74fe331c7a8b2b572e5ac68371aec3.jpg"
	}
}