Over 400 distinct cloud applications delivered malware in 2022, nearly triple the amount seen in the prior year, and 30% of all cloud malware downloads in 2022 originated from Microsoft OneDrive, according to Netskope.
Cloud applications are widely used by businesses, a fact not lost on attackers, which view these apps as an ideal home for hosting malware and causing harm. Researchers examined how these cloud security trends are shifting and advise organizations on how to improve their security posture based on those shifts.
“Attackers are increasingly abusing business-critical cloud apps to deliver malware by bypassing inadequate security controls,” said Ray Canzanese, Threat Research Director, Netskope Threat Labs. “That is why it is imperative that more organizations inspect all HTTP and HTTPS traffic, including traffic for popular cloud applications, both company and personal instances, for malicious content.”
Rise in uploads to cloud apps means rise in malware-delivered downloads
The most significant change in cloud application use in 2022, compared to 2021, was the marked increase in the percentage of users uploading content to the cloud. Over 25% of users worldwide uploaded documents daily to Microsoft OneDrive, while 7% did so for Google Gmail and 5% for Microsoft Sharepoint.
The drastic increase in active cloud users across a record number of cloud applications led to a sizable increase in cloud malware downloads in 2022 from 2021, after remaining close to flat in 2021 compared to 2020.
The correlation between uploads and downloads among the most popular apps is no coincidence. Nearly a third of all cloud malware downloads originated from Microsoft OneDrive, with Weebly and GitHub coming in the next closest among cloud apps at 8.6% and 7.6%, respectively.
Cloud-delivered malware is increasingly more prevalent than web-delivered malware
Industries have increased their reliance on cloud applications and cloud infrastructure to support business operations over the last several years—a trend further accelerated by the COVID-19 pandemic and a worldwide shift toward hybrid work.
As a result, cloud-delivered malware is now responsible for a much higher percentage of all malware delivery than ever before, especially in certain geographic regions and industries.
In 2022, several geographic regions saw significant increases in the overall percentage of cloud vs. web-delivered malware compared to 2021, including:
- Australia (50% in 2022 compared to 40% in 2021)
- Europe (42% in 2022 compared to 31% in 2021)
- Africa (42% in 2022 compared to 35% in 2021)
- Asia (45% in 2022 compared to 39% in 2021)
In certain industries, cloud-delivered malware also became more predominant globally, especially:
- Telecom (81% in 2022 compared to 59% in 2021)
- Manufacturing (36% in 2022 compared to 17% in 2021)
- Retail (57% in 2022 compared to 47% in 2021)
- Healthcare (54% in 2022 compared to 39% in 2021)
Cyber preparedness: the remote workforce is here to stay
Companies have made considerable adjustments to enable remote and hybrid workplaces to flourish. While some industries sought to bring employees back to the office on a more frequent basis in 2022, remote work options appear to remain largely in place.
User dispersion—the ratio of the number of users on the Netskope platform to the number of network locations from which those users’ traffic originates—is 66%, the same percentage it was at the start of the pandemic over two years ago.
Remote and hybrid work dynamics continue to pose multiple cybersecurity challenges, including how to securely provide users access to the company resources they need to do their jobs and how to scalably and securely provide users access to the internet.
Netskope recommends organizations take the following actions to avoid increased risk of security incidents stemming from cloud- and web-delivered malware:
- Enforce granular policy controls to limit data flow, including flow to and from apps, between company and personal instances, among users, to and from the web, adapting the policies based on device, location, and risk.
- Deploy multi-layered, inline threat protection for all cloud and web traffic to block inbound malware and outbound malware communications.
- Enable multi-factor authentication for unmanaged enterprise apps.