Public cloud security has always been a challenge, and there is no indication that it will get easier. According to a McAfee study, for instance, cloud adoption increased 15 percent over the past year. At the same time, sharing of sensitive data over a public link and the number of IaaS misconfiguration incidents also increased, putting data stored in the cloud at risk.
And now we’ve learned that threat actors are turning to the public cloud in a new way. Netskope Threat Research Labs discovered malware called CapitalInstall that installs adware Linkury, which is “delivered from Microsoft Azure blob storage whose IP range was whitelisted by the multiple customers.”
CapitalInstall is associated to a family of potentially unwanted applications (PUPs) that victims may have unintentionally loaded onto their machines. The malware is delivered through drive-by-download links from a website claiming to provide keys and licenses related to software, Netskope reported. Then, once installed, a series of enticing messages show up in victims’ machines, inviting users to download and install the adware.
The malware was initially detected in the healthcare and retail sectors; however, this particular family is used to generate revenue through ads related to mining cryptocurrencies and fake search engines.
Fertile Ground for Threat Actors
Cloud data storage services are turning out to be fertile ground for threat actors, said Ashwin Vamshi of the Netskope security research team. The services are used to host and serve malware. What makes them such fertile ground is our general trust in cloud services.
“End users, as well as security professionals, tend to place implicit trust in cloud vendors such as Microsoft, AWS, Google and SaaS app vendors such as Box and Salesforce,” Vamshi explained. This allows threat actors to take advantage of any cracks in the system. The result, he added, is that we are now seeing malware shared publicly in these services and being used to infect new organizations, as well as malware shared privately being used to spread within an organization.
“Enterprises using cloud services should not implicitly trust something just because of the associated cloud service,” he advised. “If there is no evaluation performed for gaps in security controls like DLP and threat detection, then all cloud data and the users of the cloud services are at risk. Businesses need to be aware of what types of data are being stored in both sanctioned and unsanctioned cloud services.”
Stepping Up Efforts to Stop the Spread of Malware
Organizations can take the upper hand here to stop the spread of this malware and protect their own data from potential threats. Vamshi and Netskope recommended the following tips to enterprises to stay protected:
- Understand the shared responsibility model and identify security controls that are their responsibility.
- Deploy a multi-layered cloud-aware solution for threat detection, to protect against attackers hosting malicious files in IaaS object stores.
- Educate enterprise administrators and users on the implications of whitelisting IP’s and sharing files across users.
- Educate users on the best practices and to refrain from installs, downloads and accessing any website promoting cracks, keys and licenses of popular software.
According to Netskope, CapitalInstall is “a classic example of malware being hosted over IaaS for delivering the payload using placeholder websites.” As more organizations rely on public cloud services for data storage and data sharing, we should expect to see more instances of threat actors looking to take advantage of the trust we have in IaaS. Today it is adware. Tomorrow it could be malware that is much more dangerous, targeting more industries including the critical infrastructure. The more we understand that cloud-related security is the responsibility of enterprise, the more equipped we are to stop spreading malware like this.