Content Delivery Networks (CDN) Exploits(1): Cloud Infrastructures are the New Realm of Operation for Cyber Attackers

Yasin Kalli
11 min read20 hours ago

--

(I will include the CDN exploit detection, mitigation, and prevention measures, as well as future trends and recommendations in the second part of the article in order not to lengthen it.)

Link to the Turkish version of this article (https://www.linkedin.com/pulse/i%C3%A7erik-da%C4%9F%C4%B1t%C4%B1m-a%C4%9Flar%C4%B1-cdn-istismarlar%C4%B11-siber-zararl%C4%B1-kalli-scsr--hcfef/?trackingId=ib5ctDw7RdWlLPD%2BeNk4Bw%3D%3D)

Content Delivery Networks (CDNs) have become an essential part of modern internet infrastructure, optimizing performance and reliable access for the 5.5 billion internet users. Designed to accelerate content delivery by caching resources on geographically distributed servers, they play a vital role in reducing latency and increasing availability. CDN services are growing in popularity and today most of the web traffic from major content providers such as Facebook, Netflix, and Amazon is delivered through CDNs. In addition, a properly configured CDN can protect websites against some common cyber attacks such as Distributed Denial of Service (DDOS) attacks.

However, the characteristics that make CDNs essential for legal operations — scalability, resilience, and ubiquity — also make them an attractive target for adversaries. Threat actors are increasingly using CDNs and cloud infrastructure to host, distribute, and manage malware campaigns. This sophisticated misuse of trusted platforms requires adapting security strategies to the evolving threat landscape and poses significant challenges in intrusion detection and mitigation.

Cyber attackers have developed a range of techniques to exploit CDNs, using large global infrastructures for malicious purposes to anonymize activities, evade detection, and ensure the high availability of malicious payloads. Cloud providers such as AWS, Google Cloud, and Azure, which offer scalable storage and application delivery capabilities, are similarly targeted. In this way, threat actors can seamlessly blend into legitimate traffic patterns by mimicking legitimate uses of cloud services through CDNs and embedding malicious content. This convergence between trust and threat therefore becomes a significant challenge for cyber defenders and a powerful tool for attackers[1].

According to Netskope’s “Cloud and Threat” report[2], in 2023 it was revealed that cyber attackers were attempting to distract attention by routing malware communications through popular content delivery networks (CDNs) and cloud service providers. The executables of the new malware detected communicated with target IP addresses belonging to Akamai, one of the most popular. IP addresses associated with Amazon Web Services and Microsoft Azure were also among the most common targets.

(Netskope did not include CDNs in the current 2024 version of the Cloud and Threat report, so I referred it to a different article so as not to extend the scope of the article. For those who want to read it, here is the link to this report, which includes cloud platforms, SaaS and artificial intelligence applications, and APT profiles [3])

Top malware communication destinations(Netskope)

Understanding CDNs and Cloud Infrastructure
Content Delivery Networks (CDNs) consist of 3 types of servers. There are origin servers, where the original content is stored and updated; edge servers, which are distributed around the world called Points of Presence (PoP), which are responsible for caching the content sent from the origin server (when it is outdated, it requests updated content from the origin server) and transmitting it to nearby users; and DNS servers, which track the IPs of the origin and edge servers for faster delivery of the content and enable users to respond to a paired edge server according to their request[4].

CDN Servers(Imperva)

CDNs are designed to improve the speed and reliability of web content delivery by caching files on strategically distributed servers around the world. This decentralized approach is meant to minimize latency by reducing the distance between servers and end users and to ensure consistent performance even under high traffic loads. A CDN balances overall traffic to provide the best possible web experience for everyone accessing internet content. It plays a critical role in supporting modern digital infrastructure, especially for websites, streaming services, and e-commerce platforms.

In parallel, cloud infrastructure provides organizations with flexible, scalable computing resources, including storage, processing power, and APIs that integrate seamlessly with CDNs. These technologies form the backbone of digital transformation, helping businesses operate efficiently and securely in global markets.

On the other hand, malicious attackers exploit these technologies to support their malware campaigns. Actors hosting malware on cloud platforms integrated with CDN services can take advantage of the benefits provided to legal users to ensure fast and reliable delivery of malicious payloads. For example, in a phishing campaign, these platforms are used to host malicious attachments and exploit technical advantages to distribute the malicious payload globally. Similarly, attackers can exploit the trusted reputation of CDN and cloud platforms to circumvent security controls.

Files and communication information associated with these services are less likely to be flagged as malicious because they originate from IP addresses and domains associated with these widely used platforms! (Solution?)

Transformation of CDNs into Threat Infrastructure
Unfortunately, content delivery networks (CDNs) also enable malicious actors to build and operate their infrastructure. Traditional attack methods often relied on tailored or compromised servers to host malicious payloads and coordinate operations. While these approaches were effective, maintaining this unique infrastructure was limited by inherent vulnerabilities. In contrast, the scalability, flexibility, and ubiquity of CDN and cloud services offer significant operational advantages for threat actors.
In transforming CDNs into adversary networks, they function as decentralized networks that distribute malicious payloads, coordinate command and control (C2) operations, and support the distribution of additional malware components. Because malicious traffic associated with CDNs often appears indistinguishable from legal use, their dependency on trusted infrastructure makes them more challenging to detect and block.

For example, a botnet can use Google Cloud APIs to dynamically update malware configurations and interfere with routine network traffic. Similarly, ransomware groups have used Microsoft Azure to host encryption keys and distribute decryption tools, taking advantage of the platform’s reliability and global reach.

A notable aspect of CDN exploitation is its flexibility. Attackers frequently change hosting locations, taking advantage of the dynamic nature of cloud infrastructure to avoid detection and takedown efforts. This agility allows them to maintain continuous malicious operations even when CDNs are under active investigation, as malicious components can be quickly rehosted or redirected to alternative locations within the same cloud ecosystem. This new operational model underscores the complexity of modern threats and the challenges in disrupting these malicious activities.

How to Leverage CDNs for Malware Distribution
Cyber Attackers are experimenting with various ways to minimize the risk of detection while maximizing the benefits of CDNs and cloud infrastructure platforms. To summarize in 5 points:

  1. Malware hosting is one of the most common ways attackers upload payloads to cloud storage integrated with CDN delivery mechanisms. It is a service that allows threat actors to rent software and hardware for cyberattacks, making it possible for people without technical skills to use malware. These payloads, which may contain executables, scripts, or maldocs, are distributed via URLs that appear to be legitimate.

For example, attackers can use Azure Blob Storage to host the phishing document and optimize the distribution through Azure CDN. This method allows cyber attackers to quickly and efficiently deliver malicious content disguised as legitimate content to victims around the world.

2. Another sophisticated method involves the use of domain fronting (domain fronting / T1090.004 MITRE ATT&CK). This technique allows attackers to disguise their targets by routing its malicious communications through legitimate CDN domains.

For example, attackers can use HTTPS connections to disguise command and control traffic (C2) as legitimate requests to a trusted domain. This method not only hides the malicious nature of the traffic, but also complicates efforts to block or intercept communications without disrupting legitimate services.

Advanced persistent threat (APT) groups such as APT29 use this domain fronting in their targeted malicious campaigns, leveraging the reputation of major CDN providers to avoid detection[5].

3. Payload staging is another critical component of CDN exploitation. Attackers often use CDNs to host initial loaders, which are small files designed to retrieve additional malware components from secondary servers. This multi-stage delivery mechanism reduces the size of the initial payload, making it less likely to trigger security alerts while maintaining the flexibility to update or replace subsequent components.

For example, in 2023, the main feature of the malicious campaign carried out by the APT group Mustang Panda was the use of a new customized PlugX malware called DOPLUGS, but an interesting aspect was the adoption of a multi-stage delivery mechanism by abusing Google Drive, a legal cloud service, to deliver the first stage payload[6].

4. In a different malware campaign uncovered in 2024, the Windows shortcut file had an embedded PowerShell script that executed a malicious HTA (HTML Applications, like VBScript and JScript) file on CDN domains controlled by the attacker. The HTA file executes an embedded Javascript script that decrypts and executes a PowerShell decrypter script. The PowerShell decrypter decrypts the embedded PowerShell loader script and runs it in the victim’s memory. The PowerShell loader executes multiple functions to evade detection and bypass UAC (User Account Control) and finally downloads and executes one of the malicious payloads, Cryptbot, LummaC2 or Rhadamanthys infostealer [7].

Multi-stage Infection Summary Infostealer Malware Campaing(Talos)

5. Command and control (C2) infrastructure represents an important area of CDN exploits. Just as CDN can be used to hide legal web servers, it can also hide C2 servers. Attackers use CDN-powered cloud services to establish flexible C2 channels and manage infected endpoints with minimal disruption. In such attacks, threat signals are extremely difficult to detect as they are split across multiple IP addresses. Moreover, these target IPs are also used by legitimate CDN customers, so threat traffic mixes with legal traffic.

For example, a botnet could use a Google Cloud function to issue commands to compromised devices and leverage the platform’s scalability and redundancy to ensure uninterrupted communication. This capability is considered for large-scale operations where maintaining reliable C2 channels is essential for coordinating attacks and deploying updates. C2 communications over a CDN are detected similarly to traditional threat signals, but instead of analyzing the destination IP address, it is necessary to analyze the server name/hostname field in the HTTP/HTTPS traffic. By identifying persistent patterns between the internal system and application level information sent to CDNs, the communication patterns used in C2 communications can be detected [8].

C2 over CDN Services

Other Types of Attacks Using CDN Infrastructure Vulnerabilities and Weaknesses

CDN Vulnerabilities and Weaknesses related CDN (ioriver)
  1. Cache poisoning: In cache poisoning attacks, attackers manipulate CDNs with multiple content requests. As a result, the CDN creates multiple versions of the content. This creates serious operational and efficiency challenges for the CDN, impacting performance, user experience, and customer cost. Cache poisoning puts customer infrastructure at risk, as the majority of traffic will be returned by the CDN via access to the source.

An attacker can also poison the cache with content that is not explicitly malicious but will interfere with the use of the targeted web application.

For example, he could send requests that trigger errors on the origin server. When the server returns errors, the error page is stored in the CDN’s cache. From then on, legitimate clients cannot get the content they requested. Instead, the CDN serves them the cached content, i.e. the error page. This is known as a Cache Poisoning Denial of Service (CPDoS) attack because it prevents clients from obtaining the requested content[9]

Cache Poisoning Attack

2. Data Breach: A data breach occurs when sensitive, personal, or confidential data is accessed, disclosed, or stolen without authorization. This can include various types of information, from personal data to credit card numbers, corporate/trade secrets to intellectual property. The consequences of a data breach can be far-reaching and can affect individuals’ privacy, corporate reputation, and finances. CDNs store copies of web content containing sensitive data such as credit card numbers, customer information, and personal health information on various servers.

If any of these servers are compromised, for example, an attacker who manages to infiltrate and breach CDNs can effortlessly access sensitive data with pages containing users’ cached personal information.
Multiple nodes and servers used in a CDN increase the attack surface, i.e. the number of potential vulnerability points that attackers can exploit. Every server in a CDN network needs to be properly secured; otherwise, it can become a potential entry point for cybercriminals.

3. TLS Certificate Breach: TLS certificates are digital certificates that authenticate a website or server and enable its secure encrypted communication. They are an essential component of SSL/TLS encryption, a standard security technology for establishing an encrypted connection between a web server and a browser. This secure connection ensures that all data transmitted between the web server and browsers remains private and intact.

TLS certificates are usually installed and managed on the edge servers of CDNs. If a TLS certificate is compromised, a man-in-the-middle attack (Mitm) can occur, attackers can access sensitive data, and users can be deceived through phishing and attempted fraud. For example, a TLS certificate can be used to appear to be a trusted website when in fact it can redirect users to a phishing website.

4. Multi-Tenancy Architecture Risks: One of the inherent characteristics of CDNs is their multi-tenancy architecture, where the same servers in the CDN infrastructure are often used to serve multiple content providers and customers, due to the large number of file storage capacities. While this design is efficient for distributing content, it also introduces security risks, with the possibility of traffic violations due to bugs or misconfigurations in CDNs. In such cases, a glitch in the CDN software may inadvertently give users access to data from a different content provider, which can lead to serious privacy and security concerns.

5. Dependency and Availability Risks: Relying on only a single CDN vendor can create a single point of failure for services and leave them vulnerable. The solution to mitigate this risk is to move to a multi-CDN architecture. Any service disruption poses a long-term risk to the reputation of CDN service providers as well as customer victimization.

Different CDN providers may have different capabilities in terms of geographic coverage and performance optimization. Over-reliance on a single CDN provider can also limit website performance in regions where CDN coverage is weaker. It can also limit an organization’s ability to quickly adapt to changing demands or scale content delivery in response to traffic spikes, which can pose a risk when dealing with spikes in web traffic or global reach.

Availability risks refer to the potential for CDN services to become partially or completely unavailable, affecting the websites and services that depend on them. These risks can arise from a variety of factors, including infrastructure failures due to hardware and network problems, cyber-attacks such as DDoS, and unintentional operational errors in configuration or deployment [10].

(See you in part 2…)

REFERENCES

[1]https://www.linkedin.com/pulse/cdn-exploitation-how-adversaries-use-cloud-malware-groeneveld-ckshe/?trackingId=RSviP0t5QZyECQpcTxGeRA%3D%3D

[2]https://www.netskope.com/wp-content/uploads/2023/05/cloud-and-threat-report-global-cloud-and-web-malware-trends.pdf

[3]https://www.netskope.com/netskope-threat-labs/cloud-threat-report/cloud-and-threat-report-2024

[4] https://www.akamai.com/glossary/what-is-a-cdn

[5] https://attack.mitre.org/techniques/T1090/004/

[6]https://www.netskope.com/blog/cloud-threats-memo-google-drive-abused-to-target-organizations-in-asian-countries

[7]https://blog.talosintelligence.com/suspected-coralraider-continues-to-expand-victimology-using-three-information-stealers/

[8]https://www.linkedin.com/pulse/detecting-malware-command-control-channels-chris-brenton

[9]https://blog.cloudflare.com/cache-poisoning-protection/

[10]https://www.ioriver.io/blog/security-risks-for-cdn-operations#:~:text=CDNs%20store%20copies%20of%20web,could%20access%20this%20sensitive%20data.

--

--

Yasin Kalli
Yasin Kalli

Written by Yasin Kalli

Sr. Cyber Security Researcher ♾ CTI & OSINT ♾Threat Hunting SOC/SOAR ♾ Computer Science B.A. ♾ Cyber/IT Law M.Sc. ♾ Infomation Management Ph.D ♾ Data Governance

No responses yet