The shift to remote work has led most organizations to move their workloads to the cloud. Spiceworks Ziff Davis’ State of IT report 2021Opens a new window shows that 35% of organizations have either already migrated or plan to accelerate the migration of workloads to the cloud due to COVID-19. While this has helped them survive and grow in a very stressful time, the shift has also triggered a wave of malware attacks via cloud apps. Unabashed use of shadow IT apps to cut costs, personal apps to save work data, and third-party plugins to enhance functionality are standard practices that have heightened the risks in many organizations. Â
According to a July 2021 reportOpens a new window by Netskope Threat Labs, malware attacks leveraging the cloud have increased by 68%- an all-time high. Cloud storage apps accounted for 66.4% of malware delivered through the cloud, while malicious Office docs were used in 43% of all malware downloads, up from 20% a year ago. Despite cloud-based services having built-in threat detection and security filters, millions of threats continue to evade detection.Â
“Cloud apps provide a fertile entry point for attackers as they’re designed to be exposed to the internet and serve large user traffic. Although all modern cloud apps are being built with resiliency in mind, they can also suffer from various vulnerabilities and misconfigurations. These risks can allow attackers to gain access to the cloud network and provide reach to critical business databases,†says Om Moolchandani, co-founder, CTO and CISO at Accurics, a cloud cyber resilience company.Â
Experts feel the main concern with cloud apps is that they are a new attack vector for most end-users, and so they don’t know how much caution they should exercise while using them. “Overall, the trend we’ve seen for cloud app abuse by threat actors is focused on using cloud storage to host malicious documents or malware. Attackers have a leg up on this in no small part because it’s a vector that is simply new to most people, and so they exercise less caution than they might otherwise exercise,” warns Christopher Budd, Senior Threat Communications Manager at Avast. Â
How Cloud Apps Can Compromise Sensitive Data
Cloud storage, collaboration, development tools, webmail, IaaS/PaaS are some of the cloud app categories that were most used for malware attacks, as per the Netskope report mentioned earlier. With accelerated cloud migration, the use of cloud apps also shot up among enterprise users. Video calling app Zoom reported a 458% year-over-year (YoY) growth in customer base in July 2020. It was downloaded 2.13 million times in a single day last year after many organizations decided to switch to remote work. Within days, attackers exploited vulnerabilities in Zoom and went on a rampage, hijacking virtual meetings, eavesdropping, and stealing sensitive information.Â
“Attackers targeting cloud apps act like they always have – using legitimate tools in a non-legitimate way. For example, attackers can compromise the hypercall handler – which is typically used for granting permissions for cloud endpoints – to launch a malware-spread campaign through all of your cloud-situated virtual machines. Any of your basic services can be compromised – just like how any on-premise software in an enterprise network can be compromised,†cautions Pavel Kuznetsov, Deputy Managing Director, Cybersecurity Technologies at Positive Technologies.Â
Learn more: How To Secure Cloud Architectures Without Sacrificing Your Bottom Line
Following the success of Emotet malware, which spread through emails containing Word documents with malicious macros, other threat actor groups have also emulated the technique. Netskope reported a 20% YoY jump in their use since the start of 2020.Â
Malware-infected files and docs are some of the classical methods used for malware delivery. As organizations became more cyber resilient, avenues for threat delivery also went down. However, some avenues, such as email, are still available and have proven to be quite effective.Â
“Emails communicate beyond organizational boundaries and can carry malicious payloads, such as attachments and files. This unparalleled connectivity makes email a perfect logistics partner for attackers as a carrier for malware and threats using infested files, spreadsheets, Word documents, PDFs and more. That’s one of the main reasons why this trick still works best and allows attackers to land their cyber weapons directly inside the enterprise perimeter,†says Moolchandani. Â
According to Moolchandani, among all file types, attackers’ favorite is still Word docs because of their rich features, such as macros, embedded scripts, HTML and several other productivity and processing capabilities. “Attackers can easily weaponize them to carry out the later stages of an attack, such as enumeration, lateral movement, post-exploitation access, and data exfiltration,†he warns.Â
Complexity is another factor that has allowed hackers to exploit cloud apps with higher odds of success. Any organizations with 500–2,000 employees now use on average 805 different cloud apps per month. Many of these apps have not been vetted or approved by the IT teams to make matters worse. Netskope’s report shows, 97% of cloud apps used in the enterprise fall under shadow IT, unmanaged and often freely adopted by business units and users. Many organizations are aware of shadow IT apps but turn a blind eye to them to get the work done and cut costs.
The problem is that when an organization loses control and visibility over data shared between legitimate apps and shadow IT apps, they are no longer in the position to enforce compliance or to implement pen testing or intrusion detection.Â
The use of personal cloud apps for work-related tasks is another cause for concern. Often employees use the same device for work and personal use and save work files on their personal Google Drive and OneDrive accounts. Though these cloud storage apps are considered safe and secure, they are not entirely free from vulnerabilities. In 2020, security expert A. NikociOpens a new window reportedly flagged a flaw in Google Drive’s “manage versions†feature, which attackers could have exploited to distribute malicious files hidden within a legitimate document or image.Â
Not to forget, third-party app plugins can also heighten the risk as threat actors can also misuse their access. Typically, a third-party app only asks for publicly accessible information from a Google profile. Experts warn that apps that request scopes like “View and manage the files in your Google Drive†pose a data security threat because they can leak sensitive data to third parties.Â
Then there is the risk that emanates from exposing a workload to the public internet. According to Netskope, more than 35% of enterprise workloads in AWS, Azure, and Google Cloud are exposed to the public internet, out of which 8.3% expose the Remote Desktop Protocol (RDP), a popular attack vector.
Learn more: How To Overcome the Cloud Misconfiguration Threat and Avoid Unexpected CostsÂ
What Can Enterprises Do to Mitigate Risks
Though cloud migration has its pitfalls, awareness has been growing, and organizations are taking steps to secure cloud apps. Moolchandani believes that AppSec tools can spot many problems, but they don’t have visibility into the broader infrastructure and context where the application runs. Even if a tool knows with 100% confidence that a particular vulnerability exists, it can’t say whether it is exploitable.Â
“Teams need to invest a lot of effort into researching a finding’s architectural context before they can decide whether a fix is needed. The signal-to-noise ratio is quite poor. As much as teams would like to improve security, they need a better way to identify the real problems so they don’t waste time on the noise,†he adds.
Some experts feel, implementing strong authentication and identity access controls and making employees aware of the risks of using cloud apps can go a long way in mitigating risks.Â
“Organizations should first focus on implementing access controls and monitoring, performing user awareness training, and ensuring all security settings are correct. And cloud app providers should conduct specific service-related security training for their clients’ technical staff to ensure all these measures are implemented well,†adds Kuznetsov.Â
Further, organizations should also regularly conduct storage scans and security assessments of public cloud services to identify misconfigurations and publicly exposed data. They should also embrace more granular policy controls to protect data in transit between apps, company and personal instances, shadow IT and personal devices.Â
To address security risks associated with APIs (application programming interface), Moolchandani advocates the need for a strong partnership between development and security to ensure there’s a complete and up-to-date inventory of all the APIs in use across different applications within the organization.Â
API security solutions are still coming into maturity, so organizations should look for open-source tools that offer API discovery capabilities in addition to automated API scanning.Â
“To effectively secure APIs will also require tools that understand the broader context of how APIs fit into the system — for example, whether inputs and callers to a specific API should be treated as trusted or untrusted,†he adds.Â
Learn more: Cybersecurity for Multi Clouds: Why the Cloud Needs Native Security
Conclusion
The shift to remote work has increased an organization’s dependence on cloud apps. As the number of apps for work increases, so does complexity, which makes managing and controlling data movement a nightmare for IT teams. Many of these apps suffer from implementation flaws, vulnerabilities, and incorrect settings, which complicate things even further. Combined with the employee negligence, these issues make many organizations sitting ducks for threat actors.Â
Do you think organisations need to step up control and visibility over cloud apps to mitigate risk? Comment below or let us know on LinkedInOpens a new window , TwitterOpens a new window , or FacebookOpens a new window . We would love to hear from you!