A report published today by Menlo Security, a provider of a global cloud proxy platform, details the degree to which public cloud file services are now being used as a mechanism to distribute malware. The report finds nearly one-third (29%) of all attacks analyzed by Menlo Security researchers leveraged a legitimate SaaS service.
Of the attacks that used SaaS as an attack vector, two-thirds (67%) originated from an online personal storage platform, while one-fourth originated from shareware or freeware. The report also finds nearly all the attacks (97%) originated from five SaaS providers: Microsoft, Google, Dropbox, Box and Amazon. Microsoft OneDrive alone accounted for 90% of all attacks involving online personal storage, according to the report.
Menlo Security CTO Kowsik Guruswamy said there is implied trust of these file services among end users that cybercriminals have become adept at exploiting. A cybercriminal simply needs to store a piece of malware in a SaaS platform as a raw or .ZIP file and then offer to share that file with a targeted user. If the user downloads the file, all the defenses the cybersecurity team has put in place are bypassed.
Historically, cybercriminals may have relied on email systems to deliver these attacks, but it’s now clear that SaaS applications are being employed more frequently as an alternative vehicle for distributing malware, noted Guruswamy.
That shift in tactic only serves to further highlight the need to transition to a zero-trust approach to networking and cybersecurity. The National Institute of Standards and Technology (NIST), an arm of the U.S. Department of Commerce, defines a zero-trust architecture as a shift away from static, network-based perimeters in favor of assuming there is no implicit trust granted to assets or user accounts based solely on their physical or network location.
The challenge most organizations face, however, is that in most cases transitioning to a zero-trust architecture requires a major investment in new platforms. Menlo Security as a first step is making a case for a proxy service delivered via the cloud that isolates endpoints from malware. Guruswamy said that approach is needed because it’s already been shown that scanning files for malware simply isn’t enough to identify all the variants of malware that might be hidden in any file.
Of course, many cybersecurity professionals might prefer to simply ban use of public cloud file services within their organizations. However, even if such a ban was possible, many end users would still find it too convenient to distribute files using these services. Unless IT teams are prepared to deliver an equivalent service that can be accessed by both internal employees and external business partners, it’s probable end users will continue to use these services regardless of what a corporate policy might try to dictate.
Obviously, cybersecurity teams should also be doing more to educate end users on the potential threat. There will be a base of users who, either out of ignorance or willful disregard, wind up downloading malware from a public cloud file service. The next big challenge is identifying the malware before it ever gets a chance to be activated.