Malware Delivered Via Cloud Services Rises

  • 53% of Web traffic is now cloud-related, a 20% year over year increase.
  • 61% of all malware is directly delivered via the cloud.
  • Malicious Office documents represented 17% of all malware detected.

If there’s one certainty in cybersecurity, it’s that attackers will go where enterprise workers go — and enterprise workers went cloud in a big way in 2020.

That enterprises, in their rapid shift to remote work, moved to cloud computing last year shouldn’t surprise anyone. And that’s precisely what happened, according to a recently released report from cloud security services provider Netskope. The report is based on anonymized data Netskope collected from its userbase throughout 2020.

The report, Cloudy with a Chance of Malice, finds the use of cloud apps in the enterprise continues to increase, with 53% of Web traffic now being cloud-related, a 20% year over year increase, and 61% of all malware directly being delivered via the cloud. Here’s another interesting data point from the report: organizations with between 500 and 2,000 employees use, on average, 664 separate cloud apps a month.

According to the report, attackers are also targeting the most popular apps used by enterprise employees. To avoid blocklists, attackers are often turning to these popular apps with trojans and next-stage malware. The report cites the GuLoader downloader as “one of the top malware delivery mechanisms of 2020” using Microsoft OneDrive and Google Drive to deliver payloads.

According to Netskope, malware was blocked in 95 separate apps. “However, attackers still tend to favor using apps that are popular in the enterprise. Cybercriminals uploaded the majority of the blocked malware to the most popular cloud storage and collaboration apps in the enterprise,” the report said.

Of course, Microsoft Office documents have always been a popular attack vector, and last year was no different. According to Netskope, last summer witnessed a tremendous spike in malware. “As the Emotet crew became active again, primarily using malicious Office documents to gain an initial foothold into their victims’ networks. Malicious Office documents represented 17% of all malware detected by the Netskope Security Cloud platform at the beginning of the year, increasing to 38% at the peak of the Emotet activity in Q3 and ending the year at 27%. In 2020, the Netskope Security Cloud blocked downloads of malicious Office documents  from 64 different cloud apps, with the majority coming from the most popular cloud storage and collaboration apps used in the enterprise,” the report said.

Additionally, 36% of phishing campaigns target cloud app credentials and 13% of campaigns use phishing lures hosted in the cloud, as attackers continue to use cloud apps to gain footholds in organizations.

Finally, sensitive data in personal apps is a rising challenge. As remote work becomes the new norm, the instances of personal apps creeping into enterprise workflows increase. “A full 83% of users accessing personal app instances on corporate devices. The average enterprise user uploads 20 files to personal apps each month from these managed devices. Personal app usage in the enterprise greatly increases the likelihood of data being mishandled or leaked,” Netskope said in a statement.

Netskope recommends organizations implement the following best practices:

  • Strong authentication and access controls (SSO, MFA, etc.) federated to managed and unmanaged apps
  • Adaptive access controls based on the user, app, instance, device, location, data, and destination to selectively grant access to specific activities
  • Zero Trust Network Access to private apps in data centers and public cloud services to reduce exposure of apps and limit network lateral movement
  • Continuous security assessment of public cloud services to detect misconfigurations and publicly exposed data, plus storage scans for data-at-rest for data and threat protection
  • Cloud inline analysis of managed and unmanaged cloud apps for data context, plus web traffic within a single-pass SASE architecture to enable data and threat protection defenses with a fast user experience
  • Selective and safe enablement of cloud apps based on a third-party risk assessment with the ability to recommend safer app alternatives via real-time coaching
  • Granular policy controls for data protection, including data movement to and from apps, instances, users, websites, devices, and locations
  • Cloud data protection (DLP) for sensitive data from internal and external threats
  • Behavior analysis for anomalies, plus confidence index scores for users with event correlation timelines to visualize changes in behavior
  • Real-time coaching to users on activity and data movement

“Cybercriminals increasingly abuse the most trusted and popular cloud apps, especially for cloud phishing and cloud malware delivery,” says Ray Canzanese, threat research director at Netskope. “Enterprises using the cloud need to quickly modernize and extend their security architectures to understand data content and context for apps, cloud services, and web user activity,” he says.