Die Zukunft von Zero Trust und SASE ist jetzt! Jetzt anmelden

Schließen
Schließen
  • Edge-Produkte von Security Service Chevron

    Schützen Sie sich vor fortgeschrittenen und cloudfähigen Bedrohungen und schützen Sie Daten über alle Vektoren hinweg.

  • Borderless SD-WAN Chevron

    Stellen Sie selbstbewusst sicheren, leistungsstarken Zugriff auf jeden Remote-Benutzer, jedes Gerät, jeden Standort und jede Cloud bereit.

  • Secure Access Service Edge Chevron

    Netskope SASE bietet eine Cloud-native, vollständig konvergente SASE-Lösung von einem einzigen Anbieter.

Die Plattform der Zukunft heißt Netskope

Intelligent Security Service Edge (SSE), Cloud Access Security Broker (CASB), Cloud Firewall, Next Generation Secure Web Gateway (SWG) und Private Access for ZTNA sind nativ in einer einzigen Lösung integriert, um jedes Unternehmen auf seinem Weg zum Secure Access Service zu unterstützen Edge (SASE)-Architektur.

Netskope Produktübersicht
Netskope-Video
Next Gen SASE Branch ist hybrid – verbunden, sicher und automatisiert

Netskope Next Gen SASE Branch vereint kontextsensitives SASE Fabric, Zero-Trust Hybrid Security und SkopeAI-Powered Cloud Orchestrator in einem einheitlichen Cloud-Angebot und führt so zu einem vollständig modernisierten Branch-Erlebnis für das grenzenlose Unternehmen.

Erfahren Sie mehr über Next Gen SASE Branch
Menschen im Großraumbüro
Entwerfen einer SASE-Architektur für Dummies

Holen Sie sich Ihr kostenloses Exemplar des einzigen Leitfadens zum SASE-Design, den Sie jemals benötigen werden.

Jetzt das E-Book lesen
  • NewEdge Chevron

    NewEdge ist die weltweit größte und leistungsstärkste private Sicherheits-Cloud.

  • Cloud-Sicherheitsplattform Chevron

    Unübertroffene Transparenz und Daten- und Bedrohungsschutz in Echtzeit in der weltweit größten privaten Sicherheits-Cloud.

  • Technologiepartner und Integrationen Chevron

    Netskope arbeitet mit den stärksten Unternehmen im Bereich Unternehmenstechnologie zusammen.

Nutzen Sie eine Secure Access Service Edge (SASE)-Architektur

Netskope NewEdge ist die weltweit größte und leistungsstärkste private Sicherheits-Cloud und bietet Kunden eine beispiellose Serviceabdeckung, Leistung und Ausfallsicherheit.

Mehr über NewEdge erfahren
NewEdge
Ihr Netzwerk von morgen

Planen Sie Ihren Weg zu einem schnelleren, sichereren und widerstandsfähigeren Netzwerk, das auf die von Ihnen unterstützten Anwendungen und Benutzer zugeschnitten ist.

Whitepaper lesen
Ihr Netzwerk von morgen
Netskope Cloud Exchange

Cloud Exchange (CE) von Netskope gibt Ihren Kunden leistungsstarke Integrationstools an die Hand, mit denen sie in jeden Aspekt ihres Sicherheitsstatus investieren können.

Erfahren Sie mehr über Cloud Exchange
Netskope-Video
Steigen Sie auf marktführende Cloud-Security Service mit minimaler Latenz und hoher Zuverlässigkeit um.

Mehr über NewEdge erfahren
Beleuchtete Schnellstraße mit Serpentinen durch die Berge
Ermöglichen Sie die sichere Nutzung generativer KI-Anwendungen mit Anwendungszugriffskontrolle, Benutzercoaching in Echtzeit und erstklassigem Datenschutz.

Erfahren Sie, wie wir den Einsatz generativer KI sichern
ChatGPT und Generative AI sicher aktivieren
Zero-Trust-Lösungen für SSE- und SASE-Deployments

Erfahren Sie mehr über Zero Trust
Bootsfahrt auf dem offenen Meer
Netskope erhält die FedRAMP High Authorization

Wählen Sie Netskope GovCloud, um die Transformation Ihrer Agentur zu beschleunigen.

Erfahren Sie mehr über Netskope GovCloud
Netskope GovCloud
  • Ressourcen Chevron

    Erfahren Sie mehr darüber, wie Netskope Ihnen helfen kann, Ihre Reise in die Cloud zu sichern.

  • Blog Chevron

    Erfahren Sie, wie Netskope die Sicherheits- und Netzwerktransformation durch Security Service Edge (SSE) ermöglicht.

  • Veranstaltungen& Workshops Chevron

    Bleiben Sie den neuesten Sicherheitstrends immer einen Schritt voraus und tauschen Sie sich mit Gleichgesinnten aus

  • Security Defined Chevron

    Finden Sie alles was Sie wissen müssen in unserer Cybersicherheits-Enzyklopädie.

Security Visionaries Podcast

Cookies, keine Kekse
Moderatorin Emily Wearmouthas setzt sich mit den Experten David Fairman und Zohar Hod zusammen, um über die Vergangenheit, Gegenwart und Zukunft von Internet-Cookies zu sprechen.

Podcast abspielen
Podcast: Cookies, keine Kekse
Neueste Blogs

Wie Netskope die Zero-Trust- und SASE-Reise durch Security Service Edge (SSE)-Funktionen ermöglichen kann.

Den Blog lesen
Sonnenaufgang und bewölkter Himmel
SASE Week 2023: Ihre SASE-Reise beginnt jetzt!

Wiederholungssitzungen der vierten jährlichen SASE Week.

Entdecken Sie Sitzungen
SASE Week 2023
Was ist Security Service Edge?

Entdecken Sie die Sicherheitselemente von SASE, die Zukunft des Netzwerks und der Security in der Cloud.

Erfahren Sie mehr über Security Service Edge
Kreisverkehr mit vier Straßen
  • Unsere Kunden Chevron

    Netskope bedient mehr als 2.000 Kunden weltweit, darunter mehr als 25 der Fortune 100-Unternehmen

  • Kundenlösungen Chevron

    Wir sind für Sie da, stehen Ihnen bei jedem Schritt zur Seite und sorgen für Ihren Erfolg mit Netskope.

  • Netskope Community Chevron

    Lernen Sie von anderen Netzwerk-, Daten- und Sicherheitsexperten.

  • Schulung und Zertifizierung Chevron

    Netskope-Schulungen helfen Ihnen ein Experte für Cloud-Sicherheit zu werden.

Wir helfen unseren Kunden, auf alles vorbereitet zu sein

Sehen Sie sich unsere Kunden an
Lächelnde Frau mit Brille schaut aus dem Fenster
Das talentierte und erfahrene Professional Services-Team von Netskope bietet einen präskriptiven Ansatz für Ihre erfolgreiche Implementierung.

Erfahren Sie mehr über professionelle Dienstleistungen
Netskope Professional Services
Die Netskope-Community kann Ihnen und Ihrem Team dabei helfen, mehr Wert aus Produkten und Praktiken zu ziehen.

Zur Netskope Community
Die Netskope-Community
Mit Netskope-Schulungen können Sie Ihre digitale Transformation absichern und das Beste aus Ihrer Cloud, dem Web und Ihren privaten Anwendungen machen.

Erfahren Sie mehr über Schulungen und Zertifizierungen
Gruppe junger Berufstätiger bei der Arbeit
  • Unternehmen Chevron

    Wir helfen Ihnen, den Herausforderungen der Cloud-, Daten- und Netzwerksicherheit einen Schritt voraus zu sein.

  • Warum Netskope? Chevron

    Cloud-Transformation und hybrides Arbeiten haben die Art und Weise verändert, wie Sicherheit umgesetzt werden muss.

  • Leadership Chevron

    Unser Leadership-Team ist fest entschlossen, alles zu tun, was nötig ist, damit unsere Kunden erfolgreich sind.

  • Partner Chevron

    Unsere Partnerschaften helfen Ihnen, Ihren Weg in die Cloud zu sichern.

Unterstützung der Nachhaltigkeit durch Datensicherheit

Netskope ist stolz darauf, an Vision 2045 teilzunehmen: einer Initiative, die darauf abzielt, das Bewusstsein für die Rolle der Privatwirtschaft bei der Nachhaltigkeit zu schärfen.

Finde mehr heraus
Unterstützung der Nachhaltigkeit durch Datensicherheit
Am besten in der Ausführung. Am besten in Sachen Vision.

Im 2023 Gartner® Magic Quadrant™ für SSE wurde Netskope als führender Anbieter ausgezeichnet.

Report abrufen
Im 2023 Gartner® Magic Quadrant™ für SSE wurde Netskope als führender Anbieter ausgezeichnet.
Denker, Architekten, Träumer, Innovatoren. Gemeinsam liefern wir hochmoderne Cloud-Sicherheitslösungen, die unseren Kunden helfen, ihre Daten und Mitarbeiter zu schützen.

Lernen Sie unser Team kennen
Gruppe von Wanderern erklimmt einen verschneiten Berg
Die partnerorientierte Markteinführungsstrategie von Netskope ermöglicht es unseren Partnern, ihr Wachstum und ihre Rentabilität zu maximieren und gleichzeitig die Unternehmenssicherheit an neue Anforderungen anzupassen.

Erfahren Sie mehr über Netskope-Partner
Gruppe junger, lächelnder Berufstätiger mit unterschiedlicher Herkunft

Cloud- und Bedrohungsbericht 2024

hellblau plus
This report explores the evolving enterprise cloud environments and threat landscape, spotlighting the predominant trends of 2023 and offering predictions of which ones will continue into 2024.
Dark cloud over the sunset
22 min read

Executive summary Link Link

test answer

The Netskope Cloud and Threat Report aims to provide strategic, actionable intelligence on the latest trends in cloud computing and cybersecurity threats affecting organizations throughout the world. In this edition, we take a look back at the major trends of 2023, paying special attention to those that we expect to continue into 2024 and beyond.

Throughout 2023, cloud and SaaS adoption continued to rise in enterprise environments, with users constantly adopting new apps and increasing their use of existing apps. App suites from Microsoft and Google continue to dominate in all industries and geographies worldwide as apps from these vendors become even more ingrained in critical business processes.

Adversaries, recognizing this trend, are abusing and targeting popular apps in their operations more frequently. Social engineering has become the most common method adversaries use to gain access into victims’ environments. Adversaries are increasingly successful in tricking victims into downloading Trojans by hosting them in popular SaaS apps and in tricking victims into clicking on phishing baits designed to steal SaaS app credentials.

The majority of adversary activity targeting Netskope customers in 2023 was financially motivated. When a financially motivated adversary gains initial access to a victim’s environment, they typically install an implant (usually Cobalt Strike) to maintain persistence. They ultimately try to extort the victim organization by deploying ransomware, infostealers, and wipers, threatening to expose sensitive data publicly or sabotage the victim’s environment if they do not pay. Even geopolitically motivated adversaries, whose primary objective has historically been cyber espionage, are also engaging in similar extortion activities.

This report spotlights these and other predominant trends of 2023 and offers predictions into which ones will continue into 2024.

 

Report highlights Link Link

sdofjsfojefgejelosij

Generative AI apps are an enterprise mainstay
Generative AI apps, virtually non-existent in the enterprise a year ago, are now a mainstay, with more than 10% users accessing cloud-based generative AI apps each month and with the top 25% of users exponentially increasing their use of these apps.

Most Trojans are downloaded from popular cloud apps
Attackers are most successful at tricking victims into downloading Trojans when they are hosted on popular cloud apps, with the most popular apps from Google and Microsoft among the top apps for malware downloads.

Criminal adversaries expand their extortion playbook
Criminal adversary activity dominated the threat landscape in 2023, with multiple adversary groups relying heavily on Cobalt Strike to maintain permanence and deploy ransomware, infostealers, wipers, and other malicious software to extort their victims.

 

Über diesen Bericht Link Link

Netskope Threat Labs publishes an annual Cloud and Threat Report to provide strategic, actionable intelligence on the latest trends in cloud computing and cybersecurity threats affecting organizations throughout the world. Information presented in this report is based on anonymized usage data collected by the Netskope Security Cloud platform relating to a subset of Netskope customers with prior authorization. Netskope provides threat and data protection to millions of users worldwide. This report contains information about detections raised by Netskope’s Next Generation Secure Web Gateway (SWG), not considering the significance of the impact of each individual threat. Stats presented in this report are a reflection of both adversary activity and user behavior. Stats in this report are based on the period starting December 1, 2021 through November 30, 2023.

 

Netskope Threat Labs Link Link

Staffed by the industry’s foremost cloud threat and malware researchers, Netskope Threat Labs discovers, analyzes, and designs defenses against the latest web, cloud, and data threats affecting enterprises. Our researchers are regular presenters and volunteers at top security conferences, including DEF CON, Black Hat, and RSAC.

Cloud and SaaS app use on the rise Link Link

The enterprise transition from traditional, on-prem applications to cloud and SaaS apps is far from over. Most organizations have already migrated to cloud-based productivity suites, and the migration has shifted to more niche applications. The number of apps used by the average user has increased from 14 to 20 over the past two years, an average 19% increase per year. Currently, half of all enterprise users interact with between 11 and 33 apps each month, with the top 1% of users interacting with more than 96 apps per month.

apps used by the average user

At the same time, people’s interactions with cloud and SaaS apps are increasing at an even faster rate–35% per year–from just over 1,000 activities per month two years ago to nearly 2,000 activities per month today. Half of all enterprise users generate between 600 and 5,000 activities per month, with the top 1% of users generating more than 50,000 activities per month. An activity is a core interaction between a user and an app, with the most common activities being:

  • Downloading or uploading a file
  • Editing a document
  • Posting a message
  • Viewing a file or a message

Median number of activities per user per month

The most popular apps in the enterprise have not changed significantly over the past year. Among the top 20 most popular apps, year-over-year popularity varied by single-digit percentage points, with a few standout themes.

Overall app popularity

Google and Microsoft reign supreme
The core components of the Microsoft 365 and Google Workspaces productivity suites were among the top apps in both 2022 and 2023. Microsoft products OneDrive, Sharepoint, Teams, Azure Blob Storage, Outlook.com, Forms, and GitHub along with Google products Google Drive, Google Cloud Storage, Gmail, and Calendar accounted for the majority of the top 10. Apps from these vendors have become mainstays of the enterprise ecosystem in all geographies and all industries and will continue to remain on the top for the foreseeable future.

Social media shifts
Although their relative popularity was largely unchanged year-over-year, there were some shifts in the popularity of various social media platforms among enterprise users. Facebook is still the most popular social media platform, despite its popularity decreasing by 6 points. Despite all the talk of an exodus from Twitter following the purchase by Elon Musk, enterprise users are still using it at roughly the same rate. The professional social networking platform LinkedIn gained 4 points, the largest gain of any of the social media platforms and the third-largest gain of all apps. TikTok and Instagram remained largely unchanged.

Outlook leapfrogs Gmail
Outlook.com leapfrogged Google Gmail in 2023 as Outlook users continue to shift away from using the native Outlook app in favor of the web app. Adding more than 6 points of popularity, Outlook.com had the second-largest increase of any cloud or SaaS app in 2023.

 

Generative AI apps on the rise Link Link

2023 was the year of generative AI. It all started with the hype around OpenAI and their flagship product ChatGPT. Although it did not crack the top 20 most popular apps of 2023, ChatGPT added more users than any other app, with its popularity increasing from 0% to nearly 7% of all enterprise users by the end of the year. As ChatGPT grew in popularity, other companies began creating competing chatbots, and even more companies began creating niche products to leverage the power of these large language models (LLMs). The idea of an AI-powered assistant to help in tasks like writing, programming, and even security operations took off. At the same time, apps for generating images, videos, and audio were also released.

The enterprise cybersecurity community did what it typically does when a new technology with this much hype hits the market: Quickly determine whether these apps serve a legitimate business purpose and–for the cases where they do–figure out how to safely enable their use. For many organizations, this meant pumping the breaks, blocking the apps until they could go through proper security review. In general, this meant that these generative AI apps gained popularity in the enterprise more slowly than they did in the consumer market.

But their popularity did grow. The following graph shows an increase in AI app popularity resembling a sigmoid, increasing from just over 2% of all enterprise users accessing at least one AI app per month a year ago to more than 10% doing so today. Most of that growth occurred in the first half of 2023 and cooled off toward the end of the year.

Percentage of users interacting with AI

A plot of the growth of the top three generative AI apps provides more insight into the shape of the overall popularity graph above. ChatGPT was the most popular app by a large margin, with the writing assistant Grammarly coming in second, followed by the Google Bard chatbot in third. The following plot provides a detailed breakdown of the growth of these three apps. ChatGPT was the main driver of the sigmoidal growth pattern in the first half of the year, rising from nearly 0% to 7% of the enterprise user population very rapidly. Google Bard had a similar shape to its growth later in the year when it became generally available, but its adoption paled in comparison to ChatGPT. Grammarly started the year as the most popular AI app due to its pre-existing user base, and while it did not see as aggressive growth as ChatGPT, its popularity continues trending upward. In the next year, Netskope Threat Labs predicts that Grammarly will continue its rise in popularity and close the gap between it and ChatGPT, but will still lag behind the all-purpose chatbot.

Top 3 AI apps by percentage of users

Most users only interact with generative AI apps a few times per month. Over the course of the past year, the average user increased from 5 activities per month to 14 activities per month, where an activity is most commonly a prompt posted to a chatbot. The top quartile of AI app users showed a more significant increase, from 15 to 85 activities over the course of the year. This indicates that a quarter of the AI user population are power users who are increasingly rapidly increasing their use of generative AI apps. Netskope Threat Labs expects both of these trends to continue into 2024: the total number of users accessing AI apps in the enterprise will continue to increase only modestly, while the amount of activity from power users will increase significantly as the population of super users finds new ways to squeeze additional value from these technologies.

AI app activities by user

A closer look at the top ten generative AI apps as 2023 draws to a close reveals three noteworthy trends that we expect to see continue into 2024.

Top 10 AI apps by percentage of users per month

Chatbots reign supreme
ChatGPT, the first generative AI chatbot to rise to popularity, is still on top at the end of the year, with 6.7% of enterprise users interacting with the chatbot at least once per month. Google Bard, Google’s ChatGPT alternative, is the second most popular chatbot, but has just more than one-tenth of the user base. ChatGPT and Google Bard are general-purpose and can be used to support business functions, like helping with writing and programming tasks or information retrieval, or for entertainment. Their versatility is one of the primary reasons for their popularity. Other more niche customer engagement chatbots–ChatBase and Blip–also made the top ten but with even fewer users.

AI assistants are catching up
One of the most popular uses of generative AI technology in the enterprise so far is as a writing assistant. Grammarly, the second most popular generative AI app, is used by 3.1% of enterprise users, with alternatives QuillBot and Wordtune also making the top ten. Tabnine is a programming assistant that helps programmers write code more efficiently. Netskope Threat Labs expects that AI assistants, especially writing and programming assistants, will continue to grow in popularity in 2024. Their integration into commonly used tool sets for writing and programming and the fact that they are specifically designed and tuned for those tasks will fuel their popularity growth. The fact that they cannot be used for entertainment purposes will also likely remove barriers to their adoption in the enterprise, whereas other apps, like general purpose chatbots, may suffer.

AI art generators are moving into the enterprise
AI art generators, specifically those that can generate images, eked their way into the number 9 and 10 spots of the most popular generative AI apps in the enterprise. Like chatbots, AI art generators are all-purpose tools that can be used for entertainment or to support business functions, both of which factor into their popularity in the enterprise. Because of their entertainment uses, especially their ability to generate content that is not safe for work, they are likely to remain at the bottom of the popularity list in enterprise environments for the foreseeable future.

 

Social engineering Link Link

The most common method by which adversaries gained initial access to their victim’s systems in 2023 was via social engineering. Social engineering is typically the easiest way for adversaries to gain access to hardened enterprise systems where remote access is limited and patches against known security vulnerabilities are applied in a timely manner. Social engineering targets the people who have access to the systems, rather than the systems themselves. Among the various social engineering tactics and techniques used by adversaries to target enterprises in 2023, there were two standouts:

  • Tricking victims into downloading and executing Trojans
  • Using phishing to trick victims into sharing sensitive credentials

The remainder of this section provides a deeper dive into each of these techniques.

 

Trojaner

Enterprise users are constantly targeted with Trojans from many different angles. Adversaries are continuously crafting new Trojans with a variety of different baits to trick users into downloading and executing them. In 2023, an average of 8 out of every 10k users downloaded an average of 11 Trojans per month. Throughout the year, an organization with 10k users would have had an average of 132 Trojans downloaded by users on their network. Netskope Threat Labs expects both of these numbers to remain relatively constant throughout 2024.

One of the angles that adversaries increasingly use to trick users into downloading Trojans is to host the Trojans on popular SaaS apps. Over the past year, the percentage of HTTP and HTTPS malware downloads originating from SaaS apps has been consistently above 50%, a trend that Netskope Threat Labs expects to continue through 2024 as it pushes closer toward 60%.

Percentage of HTTP/HTTPs mlware downloads from cloud apps

The specific apps where adversaries have the most success in tricking their victims into downloading Trojans are unsurprisingly also some of the most popular apps in the enterprise. The following figure breaks down the top 20 apps, including a year-over-year comparison. We highlight four major themes of this plot below.

Top apps where malware downloads were detected

Microsoft OneDrive maintains its lead
As discussed earlier in this report, Microsoft OneDrive is ubiquitous in the enterprise. It is the most popular SaaS app by a large margin, with nearly two-thirds of all enterprise users accessing content in OneDrive every month. For that reason, it is unsurprising that it would also lead in terms of malware downloads. Adversaries can easily create their own OneDrive accounts to host malware, which they share with their victims. Furthermore, because two-thirds of users regularly use OneDrive, they are accustomed to clicking on OneDrive links and therefore more likely to do so when an adversary shares one.

Microsoft Sharepoint is nuanced
Microsoft leverages SharePoint in a variety of other services, including Microsoft Teams. The year-over-year increase in malware downloads originating from SharePoint is primarily due to an increase in Trojans being shared with victims over Microsoft Teams, which show up as Microsoft SharePoint downloads on the Netskope platform.

Apps providing free hosting are the leaders
The majority of the apps in the top 20 are apps that provide free file hosting services. This includes cloud storage apps (Microsoft OneDrive, Google Drive, Azure Blob Storage, Amazon S3, Box, Dropbox, Google Cloud Storage), free web hosting apps (Weebly, Squarespace), free file sharing services (DocPlayer, MediaFire, WeTransfer), and free source code hosting apps (GitHub, SourceForge). Because these apps all provide low-cost or no-cost file hosting, Netskope Threat Labs expects them and similar apps to continue to be abused for malware and phishing delivery for the foreseeable future.

 

Phishing

Adversaries are generally more successful in tricking victims into clicking on phishing links than they are in tricking them into downloading malware. On average, 29 out of every 10k enterprise users clicked on a phishing link each month in 2023, more than three times the rate of users downloading Trojans. Throughout the year, an organization with 10k users would have had an average of 348 users clicking on phishing links.

Attackers phish for credentials and other sensitive information for a variety of different targets. The top 10 phishing targets in 2023 included popular cloud and SaaS applications, shopping sites, and banking portals. SaaS apps and shopping sites were among the top targets throughout the year, while banking portals, social media, and government targets saw a steady increase throughout the year. While some adversaries phish for credentials and data that they will themselves use, others serve as initial access brokers, selling the stolen credentials, banking information, and other data on the black market. Netskope Threat Labs predicts that cloud and SaaS apps, while they will continue to remain among the top phishing targets, will be displaced by banking portals as the top target in early 2024.

Top phishing targets by links clicked

Among the top phishing target categories, there were a few standouts:

Behörden
The most common government target was the United States Internal Revenue Service, where attackers created phishing pages to steal financial data from their victims.

Social Media
Facebook, the most popular social media app in the enterprise, remains the most targeted social media platform by a large margin. Adversaries use compromised social media accounts to run scams, spread malware, spread misinformation, and other illicit activities.

Shopping
The shopping giants Amazon and Ebay remain the top shopping targets.

Gaming
The gaming platform Steam was the most targeted gaming platform by a large margin. Adversaries typically use the payment information attached to the account to make purchases and also try to use the account to compromise additional accounts.

Consumer
The video streaming service Netflix maintained its lead as the most phished service in the consumer category in 2023. Here, the main objective is theft: The stolen accounts are sold on a black market to people looking for an inexpensive Netflix subscription.

Among the cloud and SaaS apps targeted by adversaries in phishing campaigns in 2023, one app ecosystem stands out above all the rest: Microsoft. Microsoft’s popularity among enterprise users means that Microsoft credentials are both a lucrative target for attackers and that users are going to be more accustomed to clicking on links for Microsoft services. As more users continue to use Microsoft services, Microsoft will continue to be a primary target of adversaries who can leverage access to their victim’s Microsoft account for business email compromise, to steal sensitive data, and to pivot to other connected applications. For these reasons, Netskope Threat Labs expects Microsoft to remain the top cloud phishing target in 2024, increasing its lead even further over other apps.

Top cloud phishing targets by links clicked

A less common but growing phishing strategy is to use phishing attachments instead of phishing links in emails. Phishing attachments are meant to bypass anti-phishing controls that only inspect links embedded directly in the email itself. The most common type of phishing attachment is a PDF document that appears to be an invoice, directing victims to call a phone number or visit a link if they need to correct anything on the invoice. Phishing attachments were quite rare in early 2022, spiked mid-year, subsided, and spiked again in late 2023. Despite the increase, an enterprise user downloading a phishing attachment is less common than a user clicking a phishing link or downloading a Trojan. Netskope Threat Labs expects phishing attachments to become even more common in 2024.

Users downloading phishing attachments per 10k users

 

Adversary profiles and objectives Link Link

So far in this report, we have highlighted that cloud and SaaS apps continue to grow in popularity in the enterprise, gaining more users and more interactions per user every year. We also highlighted that social engineering was the most common infiltration technique in 2023, with phishing and Trojans hosted on and targeting SaaS apps ranking among the top techniques. But who were the adversaries employing these techniques? What were their motivations and objectives? What risk did they present to the organizations they were targeting? This section explores the answers to all three of these questions.

Netskope Threat Labs tracks adversaries that are actively targeting Netskope customers to better understand their motivations, tactics, and techniques so that we can build better defenses against them. We generally categorize adversary motivations as either criminal or geopolitical.

Criminal adversaries
The primary objective of a criminal adversary group is financial gain, which recently has meant a heavy focus on extortion. Extortion has been an extremely profitable business for cybercriminals, with an estimated $457 million in ransom payments made in 2022. These days, criminal adversaries have expanded their portfolio of extortion techniques to help increase the likelihood of success. These techniques include:

  • Deploying ransomware. The objective is to grind the victim’s operations and systems to a halt by encrypting all of their data. The initial negotiation tactic is to promise to decrypt their data if they pay the ransom. Some adversaries even go as far as to claim to be helping the victim–the victim is so lucky that the benevolent adversary only wants money to decrypt the files and does not want to do any real harm. Imagine if someone with more nefarious intentions had gained access to the victim’s environment!
  • Deploying an infostealer. An infostealer steals sensitive data from the victim, usually compressing and exfiltrating the data over HTTP or HTTPS to blend in with other traffic. The stolen data is used as leverage to convince the victim to pay the ransom. For example, if the victim can easily restore from backups and resume normal operations, they would not be particularly motivated to pay. Perhaps the threat of exposing sensitive data publicly might change their mind.
  • Sabotaging systems. Wipers are being more commonly deployed by criminal organizations as a final tactic to help motivate payment. Adversaries will begin destroying data and knocking systems offline the longer the extortion negotiations continue, with the expectation that this might further motivate the victim to pay.

Although we attempt to label each criminal adversary group according to the country in which they operate, many groups work transnationally. Furthermore, many are now operating in an affiliate model, making their operations even more dispersed. As a result, we typically associate a group with the country or region from which its core members are believed to be located.

Geopolitical adversaries
Geopolitical adversary groups are typically either nation-states or their proxies, and their activities typically mirror broader political, economic, military, or social conflicts. Geopolitical groups typically engage in cyber operations against other nation-states as a modern international relations strategy. The lines between geopolitical and criminal adversaries can blur, with some geopolitical groups also engaging in financially motivated activities. The specific cyber-operations undertaken by geopolitical adversaries vary including:

  • Cyber espionage
  • Sabotaging critical infrastructure
  • Information warfare
  • Spreading propaganda
  • Manipulating public opinion
  • Influencing elections

Attribution
Attributing activity to a specific adversary group can be challenging. Adversaries try to hide their true identities or even intentionally launch false-flag operations wherein they try to make their attacks appear as though they came from another group. Multiple groups often use the same tactics and techniques, some going as far as to use the same tooling or infrastructure. Even defining adversary groups can be challenging, as groups evolve or members move between groups. Adversary attributions are fuzzy and subject to change and evolve as new information comes to light.

The majority of adversary activity targeting Netskope customers in 2023 was criminally motivated, with geopolitical adversaries most active against users in Asia and Latin America. Within Asia, the highest concentration of geopolitical adversary activity targeted victims in India and Singapore, and in Latin America it targeted victims in Brazil.

Adversary motivations by target region

Overall, the majority of the adversary activity was attributed to criminal groups based in Russia (targeted throughout the world), followed by geopolitical groups in China (targeted primarily at victims in Asia, especially Singapore). Adversary groups located in other regions accounted for less than one-quarter of all adversary activity tracked by Netskope Threat Labs in 2023. In the remainder of this section, we provide an adversary profile for the five most active adversary groups in 2023, highlighting their motivations, tactics, techniques, and targeting strategies. This list includes three criminal groups based in Russia and two geopolitical groups based in China.

Adversary activity by location

 

TA551

Location: Russia
Motivation: Criminal
Aliases: GOLD CABIN, Shathak

The activity attributed to TA551 was primarily from banking Trojans, specifically variants of Pinkslipbot, Ursnif, and QakBot. TA551 targeted victims throughout the world and in multiple industry verticals, including manufacturing, financial services, technology, and healthcare. While many criminal organizations have pivoted to an extortion-centric strategy, TA551 appears to be content in sticking with their tried-and-true strategy of stealing banking information directly from their victims.

 

Wizard Spider

Location: Russia
Motivation: Criminal
Aliases: UNC1878, TEMP.MixMaster, Grim Spider, FIN12, GOLD BLACKBURN, ITG23, Periwinkle Tempest

Wizard Spider is perhaps most infamous for developing the TrickBot malware and has since pivoted to conducting ransomware operations. In 2023, Netskope tracked activity associated with Wizard Spider targeting victims throughout the world. In most of their operations, they used the popular red team tool Cobalt Strike to establish persistence in victim environments. The Cobalt Strike framework provides a lightweight executable that is implanted in the victim’s environment and communicates back to an attacker-controlled server. It is typically used to provide remote access and deploy additional malware payloads (in this case, primarily ransomware). Most of the Wizard Spider activity we tracked in 2023 followed a common pattern–avoiding DNS lookups by communicating directly with the attacker-controlled server via its IP address over HTTP.

 

TA505

Location: Russia
Motivation: Criminal
Aliases: Hive0065

TA505 is another Russian criminal ransomware group and is responsible for the Clop ransomware. Like Wizard Spider, they also heavily used Cobalt Strike for persistence and to deploy ransomware payloads. They also used the Amaday botnet to deploy ransomware and other malware payloads on infected systems. Similar to Wizard Spider, their Cobalt Strike and Amadey implants tended to communicate directly with their C2 infrastructure via IP addresses, bypassing DNS lookups. Unlike Wizard Spider, who targeted organizations worldwide, TA505’s activities were concentrated in Asia and Europe.

 

APT41

Location: China
Motivation: Geopolitical
Aliases: Wicked Panda

APT41 is a state-sponsored espionage group that also engages in financially-motivated ransomware attacks. Although their activities in the past have been spread throughout the world, their activities in 2023 were focused primarily in Asia and Europe, especially financial services organizations based in Singapore. Like other groups, they heavily relied on the Cobalt Strike framework for persistence and to deploy additional payloads. They also used the POISONPLUG backdoor, variants of which use social media platforms as command and control channels.

 

Earth Lusca

Location: China
Motivation: Geopolitical
Aliases: TAG-22

Earth Lusca is closely related to APT41 in that it uses very similar tooling. In 2023, they used Cobalt Strike and POISONPLUG against targets throughout the world spanning multiple industries including financial services, manufacturing, healthcare, technology, and SLED.

 

Empfehlungen Link Link

The complexity of an enterprise environment where users are constantly introducing new apps into the fold while existing apps become increasingly embedded in core business processes can make such environments challenging to secure. Netskope Threat Labs recommends limiting app access to only those apps that serve a legitimate business purpose and creating a review and approval process for new apps. For widely used and heavily integrated apps, Netskope recommends implementing a continuous posture management process to ensure that the apps are configured to reduce risk to the organization. We also recommend implementing a continuous monitoring process that will alert security operators when apps are being misused or have been compromised.

With generative AI apps having established a foothold in the enterprise, ensuring the safe enablement and adoption of AI apps should now be an urgent priority for most organizations. Safe enablement involves identifying permissible apps and implementing controls that empower users to use them to their fullest potential while safeguarding the organization from risks. For more detailed information about how Netskope can help, please refer to the ChatGPT and Generative AI Data Protection solution brief.

In light of the continuing increase of social engineering for initial access, Netskope Threat Labs recommends continuing investments into reducing the risk of social engineering, including security awareness training and anti-phishing technology. Because of increasing adversary focus on targeting and abusing cloud and SaaS apps, organizations should ensure that their security solutions thoroughly inspect all network traffic (including traffic to and from popular cloud and SaaS apps) and are actively monitoring managed apps for signs of abuse and compromise.

There are many commonalities among the active adversary groups, including the installation of implants such as Cobalt Strike to enable clandestine remote access; the deployment of ransomware, infostealers, and wipers; and the subsequent extortion attempts. Locking down remote access, patching systems against known exploits, and reducing the risks of social engineering can help prevent initial access and therefore also the more significant and costly attacker activity. However, additional layers of controls should also be deployed to catch determined adversaries that manage to find their way past the initial layers. These extra layers include deploying network and endpoint security that can block intrusion attempts, command and control communications, and malicious data exfiltration. They also include deploying network and endpoint security tools that can detect the unusual activity that typically occurs when an adversary has infiltrated a system but has yet to deploy ransomware or exfiltrate data. Detecting and disrupting an adversary at this stage can still prevent an attack from becoming damaging or costly.

A multi-layered cybersecurity strategy focused on risk reduction, blocking adversary activities, and continuous monitoring can help protect organizations from the staggering losses caused by a successful cyberattack.

 

hellblau plus

Cloud- und Bedrohungsberichte

The Netskope Cloud and Threat Report delivers unique insights into the adoption of cloud applications, changes in the cloud-enabled threat landscape, and the risks to enterprise data.

Storm with lightning over the city at night

Beschleunigen Sie Ihr Sicherheitsprogramm mit dem SASE Leader