According to Netskope’s latest Cloud and Threat Report, over the course of 2021, threat actors have continued to exploit cloud services to deliver malware and other malicious content, such as phishing pages. This trend emerged during 2020, fueled by the pandemic and the distributed workforce's sudden widespread adoption of cloud services. This has constantly been growing during the same year, with the percentage of malware delivered from cloud applications vs. web soaring from 46% in Q1 to 65% in Q4 2021. This trend remained constant throughout 2021, with values oscillating between 66% and 67% across the different quarters of the past year.
If you drill down into the most exploited cloud applications, unsurprisingly, cloud storage services take the lead in this unwelcome chart. During 2021, 69% of the malicious content was delivered from an app in this category, ahead of collaboration (9%) and development tools (7%). These figures show how the current situation is reshaping the threat landscape: 70% of employees work remotely, meaning cloud storage and collaboration tools are instrumental to connecting distributed teams, and the users are gaining confidence and trust in them. This is a tempting opportunity for the bad guys who are taking full advantage.
In terms of the most exploited services to host and deliver malicious content, our report shows an arms race between Google Drive and OneDrive. If the Microsoft service took the scepter during 2020, the past year has seen a change of leadership, with the Google service taking over the first position (37%) ahead of OneDrive (20%) and SharePoint (9%). Interestingly, AWS ranks at number four with 6%, proving that IaaS services are equally compelling for the crooks (we will see an example shortly).
In terms of payload, the dispersion of the workforce is also characterizing how the malicious content is distributed: remote teams need to exchange documents and, unsurprisingly, have emerged as the primary vector for malware. During 2021, malicious Office documents accounted for nearly 40% of all the malware downloads: a sharp increase compared with the beginning of 2020 when they represented only 19%, an increase that occurred in bursts driven primarily by Emotet (during the second quarter of 2020) and Dridex (at the beginning of 2021).
At the beginning of 2022, not only do the bad guys continue to exploit cloud services, but they are also getting more creative. Even worse, the abuse of the cloud is extending to other domains such as cyber warfare.
The Exploitation of Discord in the Ukrainian Cyber-War
From an infosecurity perspective, the new year has started with a bang. It was just a matter of time before the geopolitical tensions in Ukraine crossed the border into cyberspace. This started in mid-January 2022 when the country was hit by WhisperGate, a wiper malware masquerading as ransomware deployed in a devastating campaign targeting Ukrainian organizations. In the same period, Ukraine suffered the defacement of many government websites. WhisperGate is a multi-stage malware, and unsurprisingly one of the payloads is hosted on Discord, an instant messaging platform very popular among gamers and other communities and increasingly exploited by cyber-criminals; so far, primarily for opportunistic purposes.
"From an infosecurity perspective, the new year has started with a bang"
Let’s Start Where We Left Off
If the exploitation of a cloud service for cyber warfare represents a novelty in the threat landscape, even in this initial part of 2021, opportunistic threat actors continue with the same consolidated modus operandi that we outlined in 2021: using legitimate cloud services to deliver malicious Office documents. For example, Netskope Threat Labs recently discovered a campaign delivering multiple malware payloads, such as AveMaria (a.k.a. Warzone) and AgentTesla via weaponized Powerpoint documents. To make the campaign more effective, the attackers used multiple evasion mechanisms such as Bitly to shorten the URLs and several cloud services like MediaFire, Blogger and GitHub to host the payloads. Once again, the criminals took advantage of the lack of context of legacy web security technology that in most cases do not inspect encrypted traffic at scale; when they do it, they are not able to recognize the context of the connection when directed to a legitimate service (is this a legitimate or rogue instance of GitHub).
Unlimited Possibilities Make the Attackers More Creative
One of the advantages that cloud services offer cyber-criminals is the availability of multiple tools within the same application to deliver malicious content. For example, once a phishing page is set up in Google Forms, the attackers can leverage Gmail to deliver the payload, adding an element of legitimacy and evasion since the message appears to come from a trusted source. Inside each SaaS suite, there are multiple tools that can be exploited: Google Docs is another example that has teased the bad actors’ creativity: mentioning someone in a comment of a Google document triggers an email that can be abused to deliver malicious links to malware or phishing pages. The email appears completely legitimate to the unsuspecting user who probably doesn’t ask too many questions and follows the malicious links. This technique emerged for the first time at the end of 2020 and is currently still exploited in multiple campaigns.
Mitigating the Risks of Malicious Content Distributed via Malicious Cloud Instances
Nearly two-thirds of the malware is now distributed via cloud applications: the old motto ‘think before you click’ is more relevant than ever considering the explosion of personal and corporate cloud services used in both personal and corporate devices. As an example, our latest Cloud and Threat Report shows that an organization with 500–2000 people used on average 39 distinct Cloud Storage apps during 2021, a number that is impressive and shows an increase from the 35 apps used in 2020.
Besides user awareness and education, organizations must shift to a cloud-delivered, context-driven and data-driven security model to enforce:
- Adaptive access controls based on multiple factors such as user, application, application risk, application instance, device, location, data sensitivity and destination to selectively grant access to specific activities or request step-up authentication before the activity.
- ZTNA to private apps in data centers and public cloud services to reduce the exposure of apps and limit network lateral movement.
- Cloud inline analysis of managed and unmanaged cloud apps for data context, plus web traffic within a single-pass secure access service edge (SASE) architecture to enable data and threat protection defenses with a fast user experience.
- Selective and safe enablement of cloud apps based on a comprehensive app risk assessment with the ability to recommend safer app alternatives via real-time coaching and proceed/cancel alerts.
- Granular policy controls for data protection, including movement to and from apps, between company and personal instances, shadow IT, users, websites, devices and locations.
- Advanced analytics to visualize and uncover app and data activity risks, threat activity, data protection violations, key security metrics and investigative details.
- Strong authentication and identity access controls (SSO, MFA, etc.) federated to managed and unmanaged apps and cloud services.
With the increasingly sophisticated methods of exploiting the cloud, combined with the continuation of remote workforce policies, companies need to evolve from the traditional approaches to security and be proactive in taking steps to mitigate the risks while remaining flexible to maximize the business potential offered by the cloud.