Report: Cloud Apps Abused for Malware Delivery

The growing use of platforms like OneDrive and Sharepoint are creating new avenues of attack.

Industrial Cyber

According to Netskope's September Threat Labs Report for manufacturing,  enterprise users in manufacturing regularly interact with an average of 24 cloud apps each month. Using so many cloud apps, especially multiple apps with overlapping functions and combinations of enterprise and personal apps, underscores the importance of organizations having policies to ensure the safe handling of sensitive data.

While the top used apps include the same popular enterprise apps used worldwide, Netskope observed an increase in AI usage in corporate environments via apps such as Microsoft Copilot. In Manufacturing, OneDrive was the top app being abused for malware delivery, with twice as much usage than the second and third place Sharepoint and GitHub respectively.

Additional findings from the report include:

  • When it came to malware and ransomware, the most prevalent platforms targeting manufacturing were the Trojan RaspberryRobin and the Downloader Guloader.
  • Approximately one-half of all global HTTP/HTTPS malware downloads originated from popular cloud apps, with the other half originating from different locations on the web.
  • Netskope concluded that not only have attackers been having success delivering malware via OneDrive, but manufacturers should also take extra precautions when using the app, and make sure the correct policies are in place.

Netskope also offers the following recommendations:

  • Manufacturers should review their security posture to ensure that they are adequately protected against these app-based threats.
  • Inspect all HTTP and HTTPS downloads, including all web and cloud traffic, to prevent malware from infiltrating your network.
  • Ensure that high-risk file types like executables and archives are thoroughly inspected using a combination of static and dynamic analysis before being downloaded.
  • Configure policies to block downloads from apps and instances that are not used in your organization to reduce your risk surface to only those apps and instances that are necessary for the business.
  • Configure policies to block uploads to apps and instances that are not used in your organization to reduce the risk of accidental or deliberate data exposure from insiders or abuse by attackers.
  • Use an Intrusion Prevention System (IPS) that can identify and block malicious traffic patterns, such as command and control traffic associated with popular malware. Blocking this type of communication can prevent further damage by limiting the attacker’s ability to perform additional actions.
  • Use Remote Browser Isolation (RBI) technology to provide additional protection when there is a need to visit websites that fall into categories that can present higher risk, like newly observed and newly registered domains.

More in Cybersecurity