ThreatSTOP Blog

Recent malicious CDN block

Written by Irena Damsky | March 24, 2016

Recently ThreatSTOP blocked information delivered by a couple of high-profile content distribution networks (CDNs)  causing  certain content to be unavailable to our customers via social media platforms.

What Happened

We conducted an analysis and had reason to believe that the CDNs  used by services with global reach such as media, social networks, ecommerce and more, were compromised and serving ransomware. Our research team cross-referenced several legitimate sources and received several confirmations that the content was in fact malicious, and this is not the first time that this specific CDN had been compromised.

Furthermore, the information distributed by the CDN was not business critical, but rather static content for social media.  The block should not have caused any customer outage.

We considered the following courses of action:

  • Block the malicious traffic while attempting to understand the level of risk, thus temporarily impacting our customers’ experience in trying to access several services.
  • Leave it be, allowing the CDN to freely continue to distribute ransomware, potentially exposing our customers, and our customers’ customers.

We made the decision to block the distribution of ransomware, leaving some of our customers unhappy with our decision. Our research team also reached out to the affected CDN, enabling them to remediate the issue. Less than 24 hours later we confirmed that the threat was removed and cleared the block, allowing traffic to resume to normal.

Why ThreatSTOP

Our service is intended to protect our customers from being infected with malware, and this is exactly what we did (and will continue doing). We made a bold decision to block a very high traffic resource from distributing malware in order to protect  our customers from being infected.

Anyone who has fallen victim to ransomware will tell you how devastating it is to experience the total loss of data and disruption to ongoing business operations.

We apologize for any inconvenience that was caused, and continue to believe we opted for the correct course of action. We will continue to protect our customers from malware going forward.

 

Irena Damsky

Senior Director, Security Research