Cybersecurity In-Depth: Digging into data about the latest attacks, threats, and trends using charts and tables.

Attackers Route Malware Activity Over Popular CDNs

One way to hide malicious activity is to make it look benign by blending in with regular traffic passing through content delivery networks (CDNs) and cloud service providers, according to a Netskope report.

Edge Editors, Dark Reading

May 5, 2023

1 Min Read
Source: The Cloud and Threat Report, Netskope

Attackers are abusing widely used cloud services and applications to deliver malware and hiding the malware's post-infection activities by routing them over common network ports and well-recognizing content delivery networks (CDNs) and cloud providers, Netskope said in its latest "Cloud and Threat Report." The report provides intelligence on active malware threats against enterprise users. On average, five out of every 1,000 enterprise users attempted to download malware in the first quarter of 2023, it states.

After the malware infects a victim machine, it establishes a communication channel with its home server to download additional malware payloads, execute commands, and exfiltrate data. Attackers are increasingly routing malware communications through IP addresses belonging to well-known CDNs and cloud service providers, primarily Akamai and Cloudflare. Amazon Web Services, Microsoft Azure, and Limelight are also commonly abused.

Only a small fraction of total Web malware downloads were delivered over methods recognized as risky, such as newly registered domains and uncategorized sites, the report points out.

In the first quarter, 72% of all malware downloads detected by Netskope were new, the company reports. Attackers delivered malware by abusing widely used services and applications, such as OneDrive, SharePoint, Amazon S3 buckets, GitHub, Weebly, Dropbox, Google Drive, Box, Google’s Gmail service, and Azure Blob Storage. According to Netskope, attackers had used 261 distinct apps in the first quarter for malware downloads.

“Cloud apps are also commonly abused as a form of social engineering, where attackers use app features familiar to the victims to entice them into downloading malware,” Netskope’s team states.

About the Author

Edge Editors

Dark Reading

The Edge is Dark Reading's home for features, threat data and in-depth perspectives on cybersecurity.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like


More Insights