New Netskope Cloud and Threat Report Exposes Increasing Use of Cloud Apps for Spreading Malware …>
– Mass Blog
A new report from Netskope reveals that cybercriminals are increasingly targeting organizations using cloud apps.
Cloud apps accounted for 19% of all clicks on spearphishing links, making it the top technique used by threat actors.
The report also highlights the attackers’ motivations, whether financial or geopolitical.
The report categorizes the techniques used by attackers into four categories: initial access, malicious payloads execution, command and control, and exfiltration.
In terms of initial access, social engineering is the most common method used by attackers, including spearphishing emails, voice-based attacks (vishing), SMS-based attacks (smishing), and targeting social networks.
Among the phishing links clicked by users, cloud apps represented the highest percentage (19%), followed by e-commerce websites (16%).
Microsoft products, particularly OneDrive, were the most frequently targeted cloud apps.
Attackers employ various strategies to reach their targets, such as using search engine optimization, leveraging social media platforms and messaging apps, targeting users through voicemail and text messages, and compromising personal email accounts.
PDF files are commonly used for phishing attacks (90% of attacks with attached files use PDFs) due to their widespread usage in enterprises.
Attackers create fake invoices and obfuscate malicious URLs or phone numbers to evade security solutions.
In terms of executing malicious payloads, cloud storage apps are being used more frequently (55%) than web storage (45%).
Microsoft OneDrive is the most commonly used cloud storage app for hosting malware (26%), followed by SharePoint (10%) and GitHub (9.5%).
Attackers primarily use HTTP (67%) and HTTPS (52%) protocols for communication between their malicious payloads and command and control servers.
These protocols are typically allowed for users and are not filtered by firewalls.
The Domain Name System (DNS) protocol is used in 5.5% of malware communications, and while it is not blocked or filtered, it is less stealthy and transmits less data than HTTP or HTTPS.
The report identifies Wizard Spider as the most prevalent threat actor, responsible for the TrickBot malware.
Many cybercrime groups use an affiliate model, and Wizard Spider is no different, with affiliates utilizing TrickBot and various ransomware families.
Financially motivated threat actors predominantly originate from Russia and Ukraine, often distributing ransomware.
Geopolitical threats largely come from China, with menuPass (also known as APT10, Stone Panda, or Red Apollo) and Aquatic Panda being notable actors.
Financial services and healthcare industries are the most targeted by geopolitical actors.
To mitigate these cloud security threats, companies are advised to deploy email security solutions that can analyze attached files and links to detect phishing and malware.
User education is crucial in identifying and avoiding phishing and social engineering schemes.
Keeping software and operating systems up to date and patched is also important to prevent compromise through common vulnerabilities.
Link: https://www.massblog.xyz/new-netskope-cloud-and-threat-report-exposes-increasing-use-of-cloud-apps-for-spreading-malware/