New research shows that businesses today are far more likely to experience malware downloads from cloud apps than any other source.
Netskope researchers recently analyzed data collected from customer networks and found that more than two-thirds of malware downloaded onto corporate networks between January 1, 2020 and November 30, 2021 came from cloud applications. The security vendor found that cloud-delivered malware has become more prevalent than malware delivered via the web and via websites containing malware.
Much of the change has to do with convenience and cost for attackers, says Ray Canzanese, director of Netskope Threat Labs.
Cloud storage apps offer free or low-cost file hosting services and allow attackers to reach many potential victims. “Attackers trying to gain a foothold in an organization know that a user is more likely to open a link to a service they use regularly,” like Google Drive, he says. “If an attacker sent me a link to download a file from Dropbox, I might not click on it because I rarely use Dropbox for work.”
Significantly, many widely used cloud applications are relatively easy to abuse, although major cloud service providers are getting better at spotting and eliminating malicious activity quickly. Attackers can easily create a free account for many cloud storage applications and simply start downloading malware samples there, Canzanese says.
“Then they share links to that content, either natively through the app or by generating a publicly available link and sharing it via email, social media, malicious websites, SMS, or any other means” , he notes.
Netskope’s analysis showed that Google Drive has replaced Microsoft OneDrive as the most common cloud application attackers use to try to distribute malware to corporate networks. In fact, most cloud malware in 2021 was hosted and distributed through Google Drive.
At the same time, malware delivered via militarized Microsoft Office documents jumped to 37% of all malware downloads, nearly doubling from 19% at the start of 2020. At least some of the increase in volume was related to a spam campaign involving the Emotet Trojan in the second quarter of 2020 that involved the use of malicious Microsoft Office documents. Since then, many other attackers have copied the tactic and contributed to a steady increase in the use of Office documents to deliver malware over the past six quarters.
“No matter what cloud applications your business uses, attackers are abusing them,” Canzanese says.
Google Drive, OneDrive and Box are favorites for attackers. But these are by far not the only cloud applications that attackers are exploiting to distribute malware. Netskope blocked malware downloads from as many as 230 different cloud apps in 2021. “Chances are apps that many organizations trust are on this list,” it notes.
For security teams, the move to delivering malware in the cloud presents a new challenge.
“Organizations that have taken a ‘trust the apps we use’ approach should transition to a more defensive policy that scans downloads to and from those apps,” Canzanese says. Organizations should adopt a zero-trust approach to analyzing the content that users upload and download, regardless of their origin. It’s also important for organizations to use single sign-on and multi-factor authentication to protect cloud app accounts, he notes.
Netskope’s analysis showed that threat actors also actively target managed cloud applications – or cloud applications such as Google Workspaces or Office 365, which a centralized IT function could manage – in information attacks. identification. In many cases, the goal is to try to access the data stored in these apps or to use the app to gain a wider foothold in a compromised network.
Cloud service providers and enterprise security teams both face challenges staying ahead of attackers abusing cloud applications, Canzanese says. But some cloud providers make it harder for attackers, he says.
Services such as Google Drive and OneDrive perform malware scanning, which means attackers must create payloads that cannot be automatically detected and blocked. When an attack is discovered, these services are typically quick to shut down activity, meaning threat actors only have a limited window of time to carry out an attack, he says.
“For most cloud service providers,” Canzanese says, “one of the challenges is responding to abuse notifications in a timely manner, to ensure that attacks are stopped quickly after they are discovered.”