Netskope Tracks Malware Source to More Than 400 Cloud Apps

A report published today by secure access service edge (SASE) platform provider Netskope identified more than 400 distinct cloud applications that delivered malware in 2022. The report found that 30% of all cloud malware downloads in 2022 originated from the Microsoft OneDrive service.

Ray Canzanese, threat research director for Netskope said rather than building command-and-control systems to distribute malware, it’s apparent that cybercriminals are finding it simpler to employ a wide range of existing public cloud services that many end users implicitly trust.

Cybersecurity teams, as a result, should be inspecting all HTTP and HTTPS traffic, regardless of the source, for malicious content, he added.

The Netskope report found more than 25% of users worldwide upload documents daily to Microsoft OneDrive, while 7% similarly use Google Gmail and 5% use Microsoft SharePoint. In addition to using those services to distribute malware, cybercriminals are also taking advantage of the opportunity to exfiltrate data once they gain access, noted Canzanese.

In many cases, cybersecurity teams tend to be overly focused on combatting sophisticated threats when most cybercriminals are generally inclined toward finding the path of least resistance, added Canzanese. Increasingly, that path appears to use a wide range of cloud applications to distribute malware hidden in files, he noted.

Netskope advised cybersecurity teams to focus more of their efforts on enforcing granular policy controls to limit data flow, including between applications, in addition to requiring multifactor authentication to access any unmanaged application. The tendency is to implement a policy after a specific breach is reported, rather than maintaining consistent controls. A more proactive approach such as this would limit the flow of data into and out of a class of applications or simply reduce the overall size of the defensible attack surface, said Canzanese.

Of course, in the wake of the COVID-19 pandemic, there’s more usage of cloud applications than ever. Employees today routinely share files via various cloud services with little to no intervention from an internal IT team. Very few organizations have even a single standard platform. When it comes to cloud applications, each department—sometimes even individual users—tend to use whatever app they personally prefer.

It’s not clear what cloud application providers might be able to do to thwart these types of attacks, especially when the root cause of the issue may be compromised end user credentials. Much of the onus for thwarting these attacks is going to remain with cybersecurity teams for the foreseeable future.

In the meantime, more employees are returning to an office. That doesn’t mean they won’t be using cloud services to share files, but it does mean they might not be using insecure systems and networks at home nearly as much. The best defense—regardless of where end users are located—is, as always, going to be education. Carelessness is, after all, the one factor cybercriminals count on to achieve their goals. The challenge is getting end users to appreciate just how trivial it is for cybercriminals to use cloud applications to inject malware into an application environment.

Avatar photo

Michael Vizard

Mike Vizard is a seasoned IT journalist with over 25 years of experience. He also contributed to IT Business Edge, Channel Insider, Baseline and a variety of other IT titles. Previously, Vizard was the editorial director for Ziff-Davis Enterprise as well as Editor-in-Chief for CRN and InfoWorld.

mike-vizard has 746 posts and counting.See all posts by mike-vizard