New research shows that enterprise organizations these days are far more likely to experience malware downloads from cloud applications than any other source.
Researchers at Netskope recently analyzed data gathered from customer networks and discovered that more than two-thirds of malware downloaded to enterprise networks between Jan. 1, 2020, and Nov. 30, 2021, originated from cloud applications. The security vendor found that cloud-delivered malware has become more prevalent than malware delivered via the Web and via malware-laced websites.
Much of the shift has to do with convenience and cost for attackers, says Ray Canzanese, director of Netskope Threat Labs.
Cloud storage apps offer free or low-cost file hosting services and give attackers a way to reach many potential victims. “Attackers trying to get a foothold in an organization know that a user is more likely to open a link to a service that they regularly use,” such as Google Drive, he says. “If an attacker sent me a link to download a file from Dropbox, I might not click on it because I rarely use Dropbox for work.”
Significantly, many widely used cloud apps are relatively trivial to abuse, though major cloud service providers are getting better at spotting and taking down malicious activity quickly. Attackers can easily create a free account for many cloud storage apps and just start uploading malware samples to them, Canzanese says.
“Then they share links to that content, either natively through the app or by generating a publicly accessible link and sharing it via email, social media, malicious websites, text messages, or any other means,” he notes.
Netskope’s analysis showed that Google Drive has replaced Microsoft OneDrive as the cloud app that attackers most frequently use to try to distribute malware to enterprise networks. In fact, most cloud-malware in 2021 was hosted and distributed via Google Drive.
At the same time, malware delivered via weaponized Microsoft Office documents jumped to 37% of all malware downloads — a near doubling from the 19% at the start of 2020. At least some of the increased volume had to do with a spam campaign involving the Emotet Trojan in the second quarter of 2020 that involved the use of malicious Microsoft Office documents. Since then, numerous other attackers have copied the tactic and contributed to a steady increase in the use of Office documents to deliver malware over the past six quarters.
“No matter which cloud apps your company uses, attackers are abusing them,” Canzanese says.
Google Drive, OneDrive, and Box are attacker favorites. But they are by far not the only cloud apps that attackers are leveraging to distribute malware. Netskope blocked malware downloads from as many as 230 different cloud apps in 2021. “Chances are that the apps that many organizations trust are on this list,” he notes.
For security teams, the shift to cloud-based malware delivery presents a new challenge.
“Organizations that have taken a ‘trust the apps we use approach’ should shift to a more defensive policy that scans downloads from and uploads to those apps,” Canzanese says. Organizations need to take a zero-trust approach to scanning content that users upload and download, regardless of origin. Also important is the need for organizations to use single sign-on and multifactor authentication to protect cloud app accounts, he notes.
Netskope’s analysis showed that threat actors are also actively targeting managed cloud apps — or cloud apps such as Google Workspaces or Office 365, which a centralized IT function might manage — in credential attacks. In many instances, the goal is to try to gain access to the data stored in these apps, or to use the app to gain a broader foothold on a compromised network.
Cloud service providers and enterprise security teams both face challenges keeping a step ahead of attackers abusing cloud apps, Canzanese says. But some cloud providers are making things harder for attackers, he says.
Services like Google Drive and OneDrive do malware scanning, which means attackers must craft payloads that cannot be automatically detected and blocked. When an attack is discovered, such services are usually quick at taking down the activity, which means threat actors have only a limited time window for carrying out an attack, he says.
“For most cloud service providers,” Canzanese says, “one challenge is to respond to abuse notifications in a timely manner, to ensure that attacks are stopped quickly after they are discovered.”