Malware infections may occur through various invisible infections to a DNS-based WAF like Cloudflare. Some of these invisible attacks that can contribute to website blocklisting include the following:
Infection Through Sibling Websites on a Similar Server If your server hosts various websites, any malware infection on one site can quickly spread to other websites hosted on the same server since they're accessible with the same FTP account. Cloudflare, even being a DNS-based WAF, might not identify this lateral movement of the malware.
Host-Level Infections Due to Outdated Packages or Vulnerabilities Unaddressed vulnerabilities or outdated software packages in the server's operating system can also infect your website. Cybercriminals usually target these vulnerabilities to gain access to your website and exploit it.
Stolen Credentials Cybercriminals can access your website by accessing the host admin SSH, FTP, or website admin dashboard and bypassing the DNS WAF using stolen credentials. There are various ways to obtain sensitive information, such as using fake websites, phishing emails, bot frauds, and social engineering techniques.
Payload Manipulation Payload manipulation is another common technique used to infect websites protected using DNS-based WAF. Cybercriminals use different techniques to bypass web application firewalls, which are available using cheat sheets available online. Some of these WAF techniques include:
- Nested encoding
- DOS or DDoS attack to force the WAF to get into a fail-open state and bypass it
- Leveraging limitations on WAFs
Missing Protection Rules for New/Zero-Day Attacks Existing web applications usually don't cover new or
zero-day vulnerabilities immediately. Therefore, until its protection rules are updated, your WAF may allow malware to slip through and infect your website. These unknown vulnerabilities often remain undiscovered, compromising websites for months before detection and the consideration of mitigation measures.
Some of the common ways that cybercriminals use to exploit target websites with zero-day vulnerability include the following:
- Spear phishing
- Malvertising and malicious sites
- Unauthorized access
- Spam and phishing
Misconfigured DNS WAFIncorrect settings or misconfigured DNS WAF can also lead to vulnerabilities that allow malware to slip through your site. Security misconfiguration refers to the failure to maintain or configure a website's system or application's security system. It occurs when the default configuration isn't changed, security patches are not properly and promptly applied, and unnecessary services are not disabled.