JS-006-17 Trojaned CDN Downloaders
We wanted to put out a bulletin concerning VerizonEdge which is a CDN service provided by Verizon. Over the past 15 days Jigsaw Security has been monitoring this CDN and noting a very large uptick in malware hosted endpoints within the CDN network. What is surprising is that the malware being hosted is for popular applications such as VLC Media Player, App Blocker, Foxmail and similar highly popular programs. Unsuspecting end users are downloading and being infected with several families of malware all the while thinking the IP is safe because it's whitelisted by many security researchers as Azure. In the past we have had to temporarily block Amazon AWS services for the same reason when malicious actors would use the low cost platform to host their malware and it appears as though we are having to do the same thing with Azure. Currently we are only blocking a handful of AWS addresses that have been persistent problems for our users and we remove the blocks once AWS removes the offending content. Related Virustotal Information: https://www.virustotal.com/en/ip-address/18.104.22.168/information/ What is troubling is that the malware keeps being propagated by this provider and continues to be an issue for researchers and incident response teams. As of 5PM EST this evening the Jigsaw Security SOC has sinkholed this activity on all of our customers networks and provided this notice to alert end users of the issue. While we realize that this may be problematic to those using Microsoft Azure services the fact that Microsoft has not been able to remove this content and the actors continue to move the malware and upload new trojaned software is even more alarming. We have observed thousands of reports of infections to include those users that utilize PortableApps and similar applications managers to download these popular and frequently used applications. We have observed this software targeting only Windows users at this time. We will leave it up to those customers that wish to accept the risk but at this time we have made the decision to block this traffic as a safeguard to our customers that expect us to keep their networks clear of malicious applications. If you have any questions or concerns please let us know. We know other researchers and commercial providers have this IP space whitelisted but we feel as though the continued abuse of these services is extremely risky to our customers, clients and partners.
A quick scan shows that Microsoft has technology scanning Azure to find malicious content but the question then becomes why then are we still seeing this activity daily? In addition we confirmed that we are able to host downloaders on Azure that were not malicious that were then able to download malicious content to Azure and other known malicious sites whereas the malware was not detected. Most of the content is also being hosted by Microsoft and Verizon at that same time.
As long as security vendors are whitelisting Microsoft and Verizon this will continue to be an issue. After all it only takes one developer to write an unknown variant and it will sneak by all of the protections that Microsoft and Verizon has in place.
Jigsaw Enterprise Related Event (Subscribers Only):