Content is Key, but Is Also a Door for Spreading Malware

Since the onset of the current health crisis, many systems have found themselves strained. From remote work platforms to collaboration software, most services have been affected by the heavy traffic and the necessity to accommodate large numbers of users.

However, no systems have been more heavily affected than content platforms. From content delivery networks (CDNs) to cloud storage, sharing, and enterprise content management systems (ECMs), every platform has been forced to work at maximum efficiency. Businesses depend on it.

But efficiency always leaves room for error and the first to profit from such “opportunities” has been, as always, cybercriminals.

Your vulnerability is your clients’ vulnerability

Content-related attacks usually receive less media coverage, but that doesn’t mean they are less severe. Content services don’t just cover file storage and management: they also cover transfer protocols, distribution, access, and back-ups. Some platforms, like web-based Content Management Systems (CMS), also cover the way content is displayed. Each of these capabilities adds new vulnerabilities.

A recent example is the Accellion* breach. A large private-cloud solutions provider, Accellion used a 20-year-old file system named FTA for large file transfers. By exploiting a zero-day vulnerability, cybercriminals were able to access not just data stored by Accellion, but also the data of numerous Accellion clients. In the past two months, the list of victims has expanded to include high profile names such as Kroger, CSX, Flagstar Bank, The Reserve Bank of New Zealand, and even Harvard**.

This shows why content-related attacks have such a valuable payload for cybercriminals – they can lead to a potential treasure trove of client data. This can include everything from credential databases to restricted files. Furthermore, content networks and platforms can be easily used as attack vectors. This is why, when targeting them, attackers often use less common techniques such as:

Man-in-the-Middle Attacks (MITM)

In this case, an attacker intercepts Internet traffic or data between two parties in order to gain access to a system or commit fraud. While MITM attacks were initially centered around payment or credential theft, they have now started targeting CDNs. Exploit kits are often used as attack vectors in such operations, as they are more adaptable to complex systems.


These attacks often target cloud content systems as their “success” depends on the value of the captive data. It’s one thing to maliciously encrypt the content of a single computer, it’s a whole different one to get ahold of a large provider’s servers. Since these attacks have increased in number in the past years, the phenomenon has now been dubbed RansomCloud.

APT deployment

Advanced Persistent Threats (APTs) are constantly used to target various content delivery and management systems. APTs are the perfect candidates to “monitor” shared content, as they can easily blend in with heavy network traffic.

Drive-by downloads

This technique can often target content repositories, as it is more difficult for users to notice malicious, self-installing, code if they are already downloading or installing something else.

SQL injections and cross-site scripting

These techniques usually target web content management systems like WordPress, Joomla, or Drupal. As these platforms are now behind a majority of the world’s website content, many implementations have old or outdated security. SQL injections use these vulnerabilities to send commands to a website’s main database, while cross-site scripting delivers third party payloads to visitors of legitimate websites while they are consuming content.

CDN-based attacks

These attacks rely on the concept that most providers (enterprise or consumer grade) cannot block the traffic coming from a CDN’s IP address. This makes them ideal targets for attackers. CDN-based attacks are usually caused by cybercriminals posing as legitimate users and compromising the content that passes through these networks.

While these are specialized attacks, one can argue that most cyberattacks are “content based” because they either want access to certain content or wish to compromise it. For example, SSL-based DDoS attacks and dynamic content attacks simply block the CDNs or servers they target, denying access to legitimate users.

Unfortunately, content management networks are constantly asked for low latency, immediate scalability, and instant access. This makes them highly vulnerable and, due to the high amount of traffic they generate, more difficult to scan. So, how can you protect such a system?

Content filtering: a catch-all solution

Content filtering is the detection and removal of potentially malicious or inappropriate content before users have access to it or before it is processed by a system. While the definition may seem general, the truth is that efficient content filtering has a lot of ground to cover. This includes:

  • Web filtering, which is not restricted to the detection of malicious IPs and URLs, but may also have to analyze the content of entire websites or cloud repositories
  • E-Mail filtering, which includes everything from regular spam and malware to various phishing techniques and malicious attachments
  • File scanning, which screens for malicious files both within online content repositories, and also within your own enterprise content network

Depending on the complexity of your business or your client’s business and the way content is managed or distributed, filtering may have to manage all three areas at the same time.

Such a system will also have to employ a wide range of scanning methods, varying from signature-based detection to heuristic and behavioral analysis. This is because more complex threats like APTs or polymorphic malware are difficult to catch through traditional methods.

Last but not least, content filtering should be a constant, real-time process, not just an occasional scan of your systems. After all, content management is a permanent process.

This means that in order to augment your filtering techniques, you might often need the help of specialized cybersecurity solutions.

Why Bitdefender?

With 100% proficiency in detecting both zero-day and widespread malware, Bitdefender offers award-winning protection technologies. Our solutions can be integrated directly into your current platforms, either for internal use or to protect your clients’ content systems.

Our industry-leading technology, Bitdefender Antimalware SDK, can be implemented in any possible configuration: endpoint, network, perimeter, gateway, or cloud-based platforms. Furthermore, its system-agnostic approach allows it to protect a wide range of mobile and desktop devices.

Our SDK ensures perfect detection accuracy covering both known malware samples, through signature-based detection, as well as unknown ones, through generic detection. We provide proactive protection through heuristic analysis as well as zero-day protection through advanced behavioral analysis.

Our flexible licensing models and adaptable architecture will make sure Bitdefender Antimalware SDK fits perfectly with your existing business model. Regardless of how you and your clients handle content, your systems will be protected. Why plan for recovery, when you can focus on prevention? Contact our security experts today!