Cloud Malware Found in Sanctioned Apps Nearly Triples

Netskope
June 13, 2016 By Ravi Balupari and Sean Hittel

We recently released our global Cloud Report as well as our Europe, Middle East and Africa version, highlighting cloud activity from January through March of 2016. Each quarter we report on aggregated, anonymized findings such as top used apps, top activities, top policy violations, and other cloud security findings from across our customers using the Netskope Active Platform, including by industry. Netskope is the only Cloud Access Security Broker (CASB) that reports at this level of granularity on cloud app activities, data violations, and policy infractions across sanctioned and unsanctioned apps worldwide.

This report took up where we left off last quarter on our cloud malware research, in which we found that 4.1 percent of enterprises’ sanctioned apps are laced with malware. This quarter that number has risen to 11.0 percent, or nearly triple since last quarter. This is before counting unsanctioned apps, which we are researching and will incorporate into future reports. When we do, we expect these numbers to increase dramatically. Beyond sharing volume of detections, this quarter’s report breaks down those malware into the following observed categories, several of which are known to be used to distribute or propagate ransomware:

  1. JavaScript exploits and droppers
  2. Microsoft Office macros
  3. Backdoors
  4. Mobile malware
  5. Spyware and Adware
  6. Mac malware

The malicious JavaScript files detected in our users shared cloud storage were generally highly obfuscated and contained either exploits, or more commonly downloaders. In the case of downloaders, these were usually the attachments that were received as a part of a phishing attack, and subsequently shared with peers of the victim in the cloud.

The trend of using JavaScript attachments in phishing attacks is something that has been supplementing the ongoing use of Microsoft Office macros in recent months. Upon receipt of these malicious JavaScript and Office attachments, many victims will share them in the cloud with their colleagues. Many of these would install ransomware such as Locky and TeslaCrypt on each victim’s endpoint.

We also rated discovered malware in terms of its severity based on the extent to which it affects user privacy and computer security and causes damage to files, computers, or networks. 73.5 percent of detected malware this quarter ranks “high” in terms of severity, with 8.3 percent “medium,” and 18.2 percent “low.”

Perhaps the most shocking is we found that 26.2 percent of discovered malware files had been shared, either internally (with one or more people inside of the organization), externally (with one or more people outside of the organization), or publicly (with a publicly-accessible link). Sync and share, two important capabilities that characterize the cloud, are liabilities when it comes to malware because malware can use sync and share to propagate rapidly between users and devices, and the reason we dubbed this issue the cloud malware fan-out effect.

What do we recommend to combat the fan-out? Five things:

  1. Back up versions of your critical content in the cloud. Enable your app’s “trash” feature and set the default purge to a week or more. This is one of your best bets for preserving your data should you become infected with data destructing malware such as ransomware.
  2. Use your CASB to scan for and remediate cloud malware in your sanctioned apps. Make sure to check for infected users through sync and share. Integrate your CASB with, and share detections across, your existing security infrastructure such as your sandbox and endpoint detection and response (EDR) so you can stop malware wherever it’s propagating in your environment.
  3. Detect malware incoming via sanctioned and unsanctioned apps.
  4. Detect anomalies in your sanctioned and unsanctioned cloud apps, such as unusual file upload activity or other out-of-the-norm behaviors.
  5. Monitor uploads to sanctioned and unsanctioned cloud apps for sensitive data, which can indicate exfiltration in which malware is communicating with a cloud-based command and control server.