Netskope Threat Labs: Misuse of cloud apps to spread malware in Germany

Netskope Threat Labs today released its latest research report focusing on cloud app threats in the German market. The report highlights the increasing use of the cloud and the rise in data being uploaded and downloaded to cloud applications. In addition, there is a trend where attackers are increasingly using cloud apps, especially popular enterprise apps, to spread malware such as Trojans.

Other important results are:

Use of cloud applications:

• Cloud apps are ubiquitous in German companies, with the average user in Germany interacting with 16 different cloud apps every month.
• The two most popular cloud apps in Germany – OneDrive and SharePoint – follow global trends. Other apps such as Microsoft Teams, Outlook and Google Drive are much more popular in other regions.
• Companies in Germany use a variety of apps that serve both personal and business purposes. This explained how important it is to have policies in place to ensure the secure handling of sensitive data in both personal and business instances of the same application.

Cloud apps are being abused to spread malware:

• In Germany, more than half of cloud app abuse by malware is attributed to three specific apps: OneDrive, GitHub and Sharepoint.
• About half of all HTTP/HTTPS malware downloads worldwide come from popular cloud apps, the other half from various places on the web.
• The most popular apps worldwide are also among the top apps in terms of the number of malware downloads. This is because attackers tend to abuse top apps because of their popularity and trustworthiness, users interact with popular apps, and companies are more likely to allow these apps.
• In a global comparison, most cloud apps for Germany have a similar malware abuse rate. However, GitHub, for example, was somewhat used by attackers to target users in the German market. Applications such as Azure Blob Storage were more popular in other regions.

Top Malware Families

• Infostealers were the most commonly observed malware families targeting victims in Germany.
• The top five malware and ransomware families detected among users in Germany in the last 12 months are Backdoor.Zusy (also known as TinyBanker), Infostealer.AgentTesla, Infostealer.Lumma (also known as LummaC2), Infostealer. RedLine and Phishing.PhishingX.

“Lumma is an infostealer that is often distributed via YouTube videos that use social engineering lures such as cracked software.” Additionally, there have been several recent cases of Lumma being distributed via GitHub – a correlation that suggests it is no coincidence that Lumma and GitHub are in the top malware families and “the top apps for distributing malware,” respectively, explains Paolo Passeri, Cyber ​​Intelligence Principal at Netskope. “In most cases, the infostealers in the top malware families are delivered through social engineering lures – a consequence of the shift in workplace culture where most interactions are remote and human interactions are replaced by digital interactions that make life easier for attackers. This is a trend that Germany is clearly not immune to.”

Netskope Threat Labs recommends that companies in Germany review their security posture to ensure they are adequately protected:

• Scan all HTTP and HTTPS downloads, including all web and cloud traffic, to prevent malware from entering your network.
• Ensure that high-risk file types such as executables and archives are thoroughly examined before they are downloaded using a combination of static and dynamic analysis. Netskope Advanced Threat Protection customers can use a Patient Zero Prevention policy to hold back downloads until they are fully examined.
• Configure policies to block downloads of applications and instances that are not used in your organization to reduce your risk to the applications and instances that are necessary for the business.
• Configure policies to block uploads to applications and instances not used within your organization to reduce the risk of accidental or intentional data disclosure by insiders or misuse by attackers.
• Use an intrusion prevention system (IPS) that can detect and block malicious patterns in traffic, such as command and control traffic associated with common malware. Blocking this type of communication can prevent further damage by limiting the attacker’s ability to perform further actions.
• Use Remote Browser Isolation (RBI) technology to provide additional protection when visiting websites that fall into categories that may pose a higher risk, such as newly monitored and newly registered domains.

The report is based on anonymized usage data collected from the Netskope Security Cloud platform and distributed to a subset of Netskope customers with prior approval. It contains information about detections triggered by Netskope’s Next Generation Secure Web Gateway (NG-SWG), without considering the significance of the impact of each individual threat. The statistics in this report are based on the period from September 1, 2023 to August 30, 2024. The statistics reflect attacker tactics, user behavior, and broader corporate policies.

The full report can be found here.