During a recent review of threat intelligence data, our team outlined something we have known for quite awhile. In short Cloudflare the provider the protects companies from DDOS attacks is also propagating malicious content and caching it even after it has been taken down elsewhere. We previously reported on some issues with Verizon in which we observed caching and CDN's hosting thousands of unique malware samples that updated daily so we suspected this same issue would also be out there with other providers.
Don't get us wrong we are a huge fan of caching, we were one of the first Akamai ISP's back in 1999-2000 timeframe and caching content saved our company literally thousands of dollars per year per site in bandwidth expenditures. These content distribution networks are great when it comes to getting to content and maintaining fast downloads, streaming content and ISO images. The issue is that if malware is not known, it cannot be detected and get's cached like other content and sometimes outlives the original source of data.
Good at what they do
Cloudflare and many other companies ensure that content remains available for those wishing to access the content. What they are not so good at is removing malicious files and content.
Weaponization of location data
For those of you that don't understand how CDN's work let us explain. Many CDN providers have data centers all over the world in many locations. When customers request content, instead of content being served from the source (Cloudflares customer website), the content is served from a nearby data center which increases availability, speed and shortens download times. If a data center is busy the content comes from the next closest or available data center. What we are starting to see is manipulation of content, especially application content whereas CDN's are being used to push malware to adversaries. This was apparent with Verizon where when we downloaded an application from our Jigsaw network we got one file with a particular MD5 hash but when we downloaded the same content from a foreign IP address we got our intended download with an additional malware infection.
Jigsaw Security has completed disabled Cloudflare and Verizon CDN on our customer networks. This has the effect of making some content unavailable but also prevents this targeted installation of malware onto specific users networks and computing resources.