Cloud apps delivering greatest malware threat

Published on the 20/01/2022 | Written by Heather Wright

Web downloads no longer the biggest malware headache…

More than two-thirds of malware downloads in 2021 came not from web downloads, but from cloud apps, with Google Drive topping the list as the app with the most malware downloads.

The Netskope research, drawn from data collected from the Netskope Security Cloud during 2021, highlights how attackers are finding success using cloud apps to deliver malware payloads.

Accounting for 46 percent of malware downloads at the beginning of 2020, malware downloads originating from cloud apps soared to 66 percent in 2021, with Google Drive accounting for 37 percent of malware downloads and OneDrive, 20 percent.

But while there’s been a big increase, Netskope’s report Cloud and Threat Report, January 2022 Edition, does note that cloud-base malware delivery remained constant at around 66 percent from Q2 to Q4 – something the company expects to continue this year. 

An IBM report last year noted that crypto miners and ransomware were the most common malware in cloud environments, accounting for more than half of detected system compromises.

“Threat actors are continuing to pursue clouds in their malware development, with new variants of old malware focusing on Docker containers, as well as new malware being written in programming languages, like Golang, that run cross-platform,” 2021 IBM Security X-Force Cloud Threat Landscape Report says.

While the popularity of cloud and cloud storage apps is one obvious reason for the increase in malware targeting cloud apps, IBM noted that cloud environments ‘may not receive the same level of oversight as on-premises servers, which is appealing fo threat actors and makes it easier for ‘noisy’ malware like DDoS bots and crypto miners to remain undetected for longer periods’.

The X-Force research noted a shift from targeting generic Linux systems to focusing on Docker containers, with the report saying attacks on Docker tend to fall into three categories of registry, host and running container attacks.

While Netskope’s report has Google Drive taking over from Microsoft OneDrive as the number one app for malware downloads, Microsoft remains firmly in attackers sights, with cloud delivered malware via Microsoft Office nearly doubling and malicious Office documents now accounting for 37 percent of all malware downloads – up from 19 percent in 2020 – as attackers continue to use weaponised Office documents to gain an initial foothold on target systems. 

The report notes how the Emotet mal-spam campaign of 2020 resulted in a sudden spike in malicious Office documents. The onslaught of attacks by copycats has continued since, with no sign of slowing down: Microsoft Office documents represent one-third of all malware downloads, compare to one-fifth of malware downloads prior to Emotet. 

Of greatest concern, says Ray Canzanese, Netskope Threat Labs threat research director, is not just that attackers are continuing to deliver malicious content using Office docs and cloud apps, but that they continue to have success reaching users.

He says the increasing popularity of cloud apps has given rise to three types of abuse: Attackers trying to gain access to victim cloud apps, attackers abusing cloud apps to deliver malware and insiders using cloud apps for data exfiltration.

Credential attacks against managed cloud apps have continued at the same rate as 2020,

Netskope’s report shows, with more than half of managed cloud instances targeted by the attacks, including password spraying and credential stuffing attacks. The source however, of the attacks has shifted ‘significantly’. Just two percent of the login attempts in 2021 came from IP addresses that had launched credential attacks in 2020. The country of origin has also shifted, with the US overtaking Thailand as the top source for attacker login attempts. 

Rounding out the key cloud app threats according to Netskope was insiders using personal cloud app instances to take data when they leave their jobs.

Between 2020 and 2021, an average of 29 percent of departing employees downloaded more files from managed corporate app instances, and 15 percent of users uploaded more files to personal app instances in their final 30 days.

So what’s a company to do? Netskope serves up the following recommendations

  1. SSO/MFA for both managed and unmanaged apps, including adaptive policy controls invoking step-up auth based on user, device, app, data, and activity. 
  2.  Multi-layered, inline threat protection for all cloud and web traffic to block malware from making it to endpoints, plus blocking outbound malware communications. 
  3. Granular policy controls for data protection including data movement to and from apps, between company and personal instances, shadow IT, users, websites, devices, and locations. 
  4. Cloud data protection for sensitive data from internal and external threats across web, email, SaaS, shadow IT, and public cloud services, and security posture management for SaaS and IaaS. 
  5. Behavioural analysis to detect insider threats, data exfiltration, compromised devices, and compromised credentials. 

Google Docs phishing 

Google Docs is also facing scrutiny for an exploit, reported by Avanan, which allows hackers to deliver malicious phishing websites to end-users. 

Back in October 2021, warnings circulated about how spammers were able to use Google Docs comments to send messages to nearly any email address. The notifications come directly from Google, bypassing most scanners, and because they don’t contain the attacker’s email address, just the display name, it makes it harder for anti-spam filters to judge, and even harder for end-users. 

Email and SaaS security company Avanan, which is now part of Check Point, says that vulnerability hasn’t been fully closed – and attacks are ramping up.

Starting in December, the company says it observed ‘a new massive wave of hackers leveraging the comment feature in Google Docs targeting primarily Outlook users’.

Avanan says it found activity in more than 500 inboxes across 30 tenants from hackers using more than 100 different Gmail accounts.

Post a comment or question...

Your email address will not be published.

This site uses Akismet to reduce spam. Learn how your comment data is processed.


Thank you! Your subscription has been confirmed. You'll hear from us soon.
Follow iStart to keep up to date with the latest news and views...