close
magnifying glass
Get Started
magnifying glass
chevron
Support Language
close
Your Network of Tomorrow
Your Network of Tomorrow
Plan your path toward a faster, more secure, and more resilient network designed for the applications and users that you support.
chevron Get the white paper
          Experience Netskope
          Get Hands-on With the Netskope Platform
          Here's your chance to experience the Netskope One single-cloud platform first-hand. Sign up for self-paced, hands-on labs, join us for monthly live product demos, take a free test drive of Netskope Private Access, or join us for a live, instructor-led workshops.
          chevron Experience Netskope
            A Leader in SSE. Now a Leader in Single-Vendor SASE.
            A Leader in SSE. Now a Leader in Single-Vendor SASE.
            Netskope debuts as a Leader in the Gartner® Magic Quadrant™ for Single-Vendor SASE
            chevron Get the report
              Securing Generative AI for Dummies
              Securing Generative AI for Dummies
              Learn how your organization can balance the innovative potential of generative AI with robust data security practices.
              chevron Get the eBook
                Modern data loss prevention (DLP) for Dummies eBook
                Modern Data Loss Prevention (DLP) for Dummies
                Get tips and tricks for transitioning to a cloud-delivered DLP.
                chevron Get the eBook
                  Modern SD-WAN for SASE Dummies Book
                  Modern SD-WAN for SASE Dummies
                  Stop playing catch up with your networking architecture
                  chevron Get the eBook
                    Understanding where the risk lies
                    Advanced Analytics transforms the way security operations teams apply data-driven insights to implement better policies. With Advanced Analytics, you can identify trends, zero in on areas of concern and use the data to take action.
                    chevron Watch the demo
                            The 6 Most Compelling Use Cases for Complete Legacy VPN Replacement
                            The 6 Most Compelling Use Cases for Complete Legacy VPN Replacement
                            Netskope One Private Access is the only solution that allows you to retire your VPN for good.
                            chevron Get the eBook
                              Colgate-Palmolive Safeguards its "Intellectual Property” with Smart and Adaptable Data Protection
                              Colgate-Palmolive Safeguards its "Intellectual Property” with Smart and Adaptable Data Protection
                              chevron Read the case study
                                Netskope GovCloud
                                Netskope achieves FedRAMP High Authorization
                                Choose Netskope GovCloud to accelerate your agency’s transformation.
                                chevron Learn about Netskope GovCloud
                                  Let's Do Great Things Together
                                  Netskope’s partner-centric go-to-market strategy enables our partners to maximize their growth and profitability while transforming enterprise security.
                                  chevron Netskope Partners
                                    Netskope solutions
                                    Netskope Cloud Exchange
                                    Netskope Cloud Exchange (CE) provides customers with powerful integration tools to leverage investments across their security posture.
                                    chevron Learn about Cloud Exchange
                                        Netskope Technical Support
                                        Netskope Technical Support
                                        Our qualified support engineers are located worldwide and have diverse backgrounds in cloud security, networking, virtualization, content delivery, and software development, ensuring timely and quality technical assistance
                                        chevron Technical Support
                                          Netskope video
                                          Netskope Training
                                          Netskope training will help you become a cloud security expert. We are here to help you secure your digital transformation journey and make the most of your cloud, web, and private applications.
                                          chevron Explore Netskope Training
                                            Netskope video
                                            Achieve Business Value with Netskope One SSE
                                            Netskope One Security Service Edge (SSE) enables enterprises to achieve considerable business value by consolidating business critical security services within the Netskope One platform
                                            chevron Get the study

                                              Netskope
                                              Threat Labs Report:
                                              Asia 2024

                                              This report highlights the top cybersecurity challenges in Asia, which include social engineering, malicious content delivery, and data security.
                                              Netskope Threat Labs Report

                                              Asia
                                              December 2024

                                              In This Report Introduction Social engineering Malicious content delivery
                                              Smishing Triad TA577 Evil Corp
                                              Data security GenAI data security
                                              Aggressive adoption Mitigating controls
                                              Recommendations Netskope Threat Labs About This Report
                                              10 min read

                                              In This Report link link

                                              • Cloud apps are the top phishing target in Asia, where 5.5 out of every 1,000 individuals click on phishing links monthly, and Microsoft is the most targeted cloud provider.
                                              • 2.3% of users in Asia access malicious content monthly, with malicious JavaScript delivering other malicious payloads dominating the top families.
                                              • Organizations in Asia have responded to the rapid adoption of genAI apps with more strict controls than the rest of the world, including more aggressive block and DLP policies, while shying away from nuanced controls like real-time user coaching, which empowers the end-user to make informed data security decisions themselves.

                                               

                                               test answer

                                              Introduction link link

                                              This report focuses on three types of cybersecurity threats facing organizations in Asia:

                                              • Social engineering – Adversaries use tactics including phishing and impersonation to exploit human behavior and bypass security measures.
                                              • Malicious content delivery – Adversaries attempt to trick their victims into accessing malicious content on the web or in the cloud.
                                              • Data security – Data security is at risk from external adversaries in targeted breaches and insiders mishandling data.

                                               

                                              Social engineering link link

                                              Social engineering is among Asia’s most significant cybersecurity threats. Social engineering includes phishing, fake software updates, tech support scams, and Trojans. Phishing is one of the most common social engineering tactics, with 5.5 out of every 1,000 individuals working in Asia clicking on a phishing link monthly. This rate is slightly higher than the global average and even higher than nearby Australia. The victims click on links in various places, including email, messaging apps, social media, ads, and search engine results. The most common phishing target is cloud apps, which account for 28% of the clicks, followed by banking, telco, social media, and shopping.

                                              Threat Labs Report - Asia 2024: Top Phishing targets by links clicked

                                              Adversaries target cloud apps for a variety of reasons. For example, when the app is a productivity suite like Microsoft 365, the attacker could either steal data the victim can access or leverage the compromised account to target other victims. Some groups functioning as initial access brokers even sell access to compromised cloud apps on illicit marketplaces. Other apps like DocuSign are often mimicked for financial fraud to trick the victim into providing sensitive information, like credit card or bank account details. Together, Microsoft and DocuSign account for 64% of the cloud phishing links clicked in Asia.

                                              Threat Labs Report - Asia 2024: Top cloud phishing targets by links clicked

                                               

                                              Malicious content delivery link link

                                              Each month, 2.3% of users in Asia attempt to access malicious content on the web or in the cloud and are blocked from doing so by Netskope Advanced Threat Protection engines. This is roughly twice the rate of other regions, including nearby Australia. The malicious content takes multiple forms, including malicious JavaScript content that the browser executes and malware downloads that infect the host OS. The following is a list of the top four malware families detected in Asia over the past year. Dominated by JavaScript-based downloaders and traffic direction systems.

                                              • Downloader.Nemucod is a JavaScript downloader that has previously delivered Teslacrypt.
                                              • Downloader.SLoad (a.k.a Starslord) is a downloader often used to deliver Ramnit.
                                              • Trojan.FakeUpdater (a.k.a. SocGholish) is a JavaScript downloader that delivers various payloads, including Dridex and Azorult.
                                              • Trojan.Parrottds is a JavaScript-based traffic direction system that has been used to redirect traffic to various malicious locations since 2019.

                                              Delivering malware using popular cloud apps is a technique adversaries use to fly under the radar. Each month, 86% of organizations have users attempting to download malware from cloud apps. While the downloads come from hundreds of apps, the chart below presents the top five apps in terms of the percentage of organizations that see malware downloaded from the app monthly. GitHub is at the top because it is used to host a variety of hacktools. Google Drive and OneDrive follow closely behind because they are ubiquitous cloud storage apps widely used in the enterprise. Adversaries attempt to exploit the familiarity end users have with these apps to deliver malware. Other top apps include Amazon S3 and Box for similar reasons: attackers can easily host files there and hope to exploit the familiarity factor. The numbers indicate that this familiarity effect is real, as the apps leading the pack are those with which users are most familiar.

                                              Threat Labs Report - Asia 2024:

                                              Netskope Threat Labs tracks adversaries actively targeting Netskope customers to understand their motivations, tactics, and techniques, so that we can build better defenses against them. We generally categorize adversary motivations as either criminal or geopolitical. The three top adversary groups targeting organizations in Asia over the past year were criminal groups based in China and Russia.

                                              Smishing Triad

                                              Location: China
                                              Motivation: Criminal

                                              Smishing Triad is a criminal group that focuses on using SMS-based phishing messages to commit financial fraud. Over the past year, Netskope has seen the most activity from Smishing Triad in India and Singapore. They tend to rely on URL shorteners to mask the true destination of the links in their messages.

                                              TA577

                                              Location: Russia
                                              Motivation: Criminal
                                              Aliases: Hive0118

                                              TA577 has been targeting multiple industries worldwide, delivering malware payloads, including Qbot, Ursnif, and Cobalt Strike. Targets in the past year were spread throughout the region, including in India, Japan, the Philippines, and Singapore.

                                              Evil Corp

                                              Location: Russia
                                              Motivation: Criminal
                                              Aliases: Indrik Spider, Manatee Tempest, DEV-0243
                                              Mitre ID: G0119

                                              In their early days, Evil Corp primarily used the banking Trojan Dridex before pivoting to ransomware and using BitPaymer, WastedLocker, and Hades. Evil Corp uses JavaScript to deliver their payloads and uses the popular red team tool Cobalt Strike to establish persistence in victim environments. In the past year, they have targeted victims throughout the region, including in Malaysia, Indonesia, India, Singapore, and Japan.

                                              Attributing activity to a specific adversary group can be challenging. Adversaries try to hide their true identities or even intentionally launch false-flag operations wherein they try to make their attacks appear to come from another group. Multiple groups often use the same tactics and techniques, some going as far as to use the same tooling or infrastructure. Defining adversary groups can be challenging as groups evolve or members move between groups. Adversary attributions are fuzzy and subject to change and evolve as new information comes to light.

                                               

                                              Data security link link

                                              Data security is top of mind for organizations in Asia, with 73% of organizations in the region using data loss prevention (DLP) to help control the flow of sensitive data, and 19% of users violating organizational data security policies. The most common violations involve uploads of various types of data to unauthorized locations. The most common data types involved in data policy violations were regulated data (including personal, financial, and healthcare information) that accounted for more than half of all violations.

                                              Threat Labs Report - Asia 2024:

                                               

                                              GenAI data security link link

                                              GenAI data security represents a growing risk facing organizations in Asia, with the primary risk being leaks of sensitive data to unapproved apps.

                                               

                                              Aggressive adoption

                                              GenAI adoption in Asia has mirrored worldwide trends, with 93% of organizations in Asia using generative AI and averaging nine genAI apps per organization. The most popular apps include chatbots, writing assistants, copilots, and note-taking apps, led by ChatGPT.

                                              Threat Labs Report - Asia 2024: Most popular genAI apps based on the percentage of orgs using those apps

                                              Mitigating controls

                                              To manage data security in this environment of aggressive adoption, 98% of organizations in Asia have controls in place to limit the use of genAI apps. This section lists each of the controls and provides more insights into their application.

                                              Blocking apps that serve no legitimate business purpose

                                              Organizations in Asia are more aggressive than other regions in blocking genAI apps that serve no business purposes, with an average of 4.6 apps blocked per org and the top organizations blocking more than 70 apps per month. For comparison, organizations in Australia average 2.3 apps blocked with the top organizations blocking 50. How many apps an organization blocks appears to be a matter of preference and not correlated with factors such as industry or organization size. The most blocked apps belong to multiple categories, including writing assistants, chatbots, image generators, and audio generators, bearing many similarities with global trends.

                                              Threat Labs Report - Asia 2024:

                                              DLP

                                              DLP as a genAI control is rapidly gaining popularity in Asia, as it was in use in only 25% of organizations one year ago, as compared to being used in 51% of organizations today. This rapid growth outpaces global averages and is expected to continue into 2025, with the gap between 51% of organizations using DLP for genAI and 73% using DLP in general suggesting growth opportunity. While regulated data dominated DLP violations in general, the most common type of DLP violation for genAI apps in Asia is source code, accounting for 66% of violations.

                                              Threat Labs Report - Asia 2024: Types of data policy violations for genAI apps

                                              Real-time user coaching

                                              Organizations in Asia lag behind the rest of the world in adopting real-time user coaching as a genAI control. Real-time user coaching helps users make informed decisions about data security as they are confronted with tough choices. For example, it may remind a user that a genAI app they are about to use is not on the approved list and ask if they would like to use it anyway. When used in conjunction with DLP, it might notify a user that a prompt they are posting contains sensitive information and ask if they would like to proceed in sending it anyway. This strategy empowers users to make the right choice themselves. Only 21% of organizations in Asia are currently using real-time user coaching as a genAI control, lagging behind Australia’s 53% and the global average of 31%.

                                               

                                              Recommendations link link

                                              Netskope Threat Labs recommends organizations in Asia review their security posture to ensure that they are adequately protected against these trends:

                                              • Inspect all HTTP and HTTPS downloads, including all web and cloud traffic, to prevent malware from infiltrating your network. Netskope customers can configure their Netskope NG-SWG with a Threat Protection policy that applies to downloads from all categories and applies to all file types.
                                              • Ensure that high-risk file types like executables and archives are thoroughly inspected using a combination of static and dynamic analysis before being downloaded. Netskope Advanced Threat Protection customers can use a Patient Zero Prevention Policy to hold downloads until they have been fully inspected.
                                              • Configure policies to block downloads from apps and instances that are not used in your organization to reduce your risk surface to only those apps and instances that are necessary for the business.
                                              • Configure policies to block uploads to apps and instances that are not used in your organization to reduce the risk of accidental or deliberate data exposure from insiders or abuse by attackers.
                                              • Use an Intrusion Prevention System (IPS) that can identify and block malicious traffic patterns, such as command and control traffic associated with popular malware. Blocking this type of communication can prevent further damage by limiting the attacker’s ability to perform additional actions.
                                              • Use Remote Browser Isolation (RBI) technology to provide additional protection when there is a need to visit websites that fall into categories that can present higher risk, like newly observed and newly registered domains.

                                               

                                              Netskope Threat Labs link link

                                              Staffed by the industry’s foremost cloud threat and malware researchers, Netskope Threat Labs discovers, analyzes, and designs defenses against the latest cloud threats affecting enterprises. Our researchers are regular presenters and volunteers at top security conferences, including DefCon, BlackHat, and RSA.

                                              About This Report link link

                                              Netskope provides threat protection to millions of users worldwide. Information presented in this report is based on anonymized usage data collected by the Netskope One platform relating to a subset of Netskope customers with prior authorization.

                                              This report contains information about detections raised by Netskope’s Next Generation Secure Web Gateway (SWG), not considering the significance of the impact of each individual threat. Stats in this report are based on the period starting October 1, 2023 through October 31, 2024. Stats reflect attacker tactics, user behavior, and organization policy.

                                              Threat Labs Reports

                                              In the monthly Netskope Threat Labs Report, you will find the top 5 malicious domains, malware, and apps that the Netskope Security Cloud platform blocked plus recent publications and a threat roundup.

                                              Browse reports
                                              Threat labs

                                              Accelerate your security program with the SASE Leader

                                              Get Started