April 13, 2021 By David Bisson 2 min read

Malware actors aren’t struggling to adapt their attack campaigns to cloud applications. If they were, then they probably wouldn’t have sent 61% of their malicious payloads in 2020 via cloud-based apps.

That’s up from 48% of malware samples in 2019, according to a study from Netskope. This reveals the extent to which digital attackers are turning to the cloud more and more. This preference comes with certain advantages; using cloud apps helps the attackers evade older email and web defense solutions.

Read on to learn more about how cloud-based apps factor into attacks.

The Importance of Cloud App Security

As noted in the report, the number of cloud applications leveraged by enterprise increased 20% over the course of 2020. Organizations with at least 500 employees and at most 2,000 workers are now using an average of 664 distinct cloud apps each month.

Half of those programs registered a ‘Poor’ rating on the study’s Cloud Confidence Index. This finding shows that many of the cloud apps weren’t ready for enterprise use.

It’s therefore not surprising that digital attackers are using these apps to distribute cloud malware. To be specific, more than half (58%) turned to malicious Microsoft Office documents. They could use these as a means of sending ransomware, back doors and other threats.

At the same time, they’re using cloud apps in other ways, too. Attackers now target cloud-based apps in more than one-third (36%) of phishing attacks as a means of gaining a foothold in the target’s network.

More Recent Cloud App Breaches

Some examples would be useful here. In September 2020, for instance, Proofpoint witnessed a threat actor known as ‘TA2552’ using Spanish-language lures in order to trick users into visiting Microsoft-themed consent pages. Those pages instructed the users to grant a third-party application read-only user permissions to their Office 365 account — rights that the attackers could have used to steal a victim’s information and/or conduct identity theft.

In another piece of research, Proofpoint discovered 180 distinct cloud applications using ‘consent phishing’ tactics in an attempt to access cloud resources over the course of 2020.

Proofpoint wasn’t the only security vendor that spotted malicious actors misusing cloud applications. In October 2020, for instance, Cisco Talos observed the DoNot APT team spreading a new threat called Firestarter. The attackers had the malware interact with the Google Firebase Cloud Messaging cloud solution in order to pinpoint the final payload location.

How to Defend Against Cloud App Misuse

The examples described above highlight the need for groups to defend themselves against misuse of cloud applications. One of the ways they can do this is by managing access to their cloud-based apps. Knowing phishers’ growing preference for these types of programs, consider using multifactor authentication and enabling single sign-on. These controls will help to limit who can access what within those apps.

Organizations also need to prevent digital attackers from gaining access to the information stored within their cloud applications. Towards that end, they should consider using data encryption. Not only will this help to render sensitive information inaccessible in the event of a data breach, but it might also prevent a ransomware strain from activating its encryption routine if an infection does succeed.

More from News

CISA warns about credential access in FY23 risk & vulnerability assessment

3 min read - CISA released its Fiscal Year 2023 (FY23) Risk and Vulnerability Assessments (RVA) Analysis, providing a crucial look into the tactics and techniques threat actors employed to compromise critical infrastructure. The report is part of the agency’s ongoing effort to improve national cybersecurity through assessments of vulnerabilities in key sectors. Meanwhile, IBM’s X-Force Threat Intelligence Index 2024 has identified credential access as one of the most significant risks to organizations. Both reports shed light on the persistent and growing threat of…

CISA launches portal to simplify cyber incident reporting

2 min read - Information sharing just got more efficient. In August, the Cybersecurity and Infrastructure Security Agency (CISA) launched the CISA Services Portal. “The new CISA Services Portal improves the reporting process and offers more features for our voluntary reporters. We ask organizations reporting an incident to provide information on the impacted entity, contact information, description of the incident, technical indications and steps taken,” a CISA spokesperson said in an email statement. “Reported incidents enable CISA and our partners to help victims mitigate…

FYSA – Critical RCE Flaw in GNU-Linux Systems

2 min read - Summary The first of a series of blog posts has been published detailing a vulnerability in the Common Unix Printing System (CUPS), which purportedly allows attackers to gain remote access to UNIX-based systems. The vulnerability, which affects various UNIX-based operating systems, can be exploited by sending a specially crafted HTTP request to the CUPS service. Threat Topography Threat Type: Remote code execution vulnerability in CUPS service Industries Impacted: UNIX-based systems across various industries, including but not limited to, finance, healthcare,…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today