The Netskope Cloud Report: The Cloud Malware Fan-out
Published 02/23/2016
By Krishna Narayanaswamy, Co-founder and Chief Scientist, Netskope
Today we released our Cloud Report in which we highlight cloud security findings from October through December of 2015.
This quarter we focus on an important finding from our research team. In scanning many hundreds of our customers’ tenants, we found that 4.1 percent of those enterprises’ sanctioned apps are laced with malware such as trojans, viruses, and spyware. The volume of malware in those apps ranged from a handful of files to many dozens in a customer tenant.
We analyzed the infections and found a “fan-out” pattern in the spread of the malware (or in some cases, the effect of the malware). This is due, ironically, to two critically useful capabilities that the cloud is known for - sync and share.
I’ll show an example of this in full forensic detail during my keynote at next week’s CSA Summit, but let me describe what we saw happen in a number of enterprises that got hit with ransomware recently:
– A user becomes infected with ransomware
– Upon detonation, the ransomware encrypts the files on the user’s hard drive
– Some of the files on the user’s hard drive are in sync folders of a cloud app
– The encrypted versions of the files sync with the cloud app, replacing the cloud versions with the encrypted ones
– Then additional users, with whom the original user had shared the sync folder, sync their desktop client folders with the cloud, and those desktop files become encrypted
We have observed the fan-out effect both for the spread of malware itself and for the spread of the effect of malware, such as encryption in the above example.
Note that our initial research was only on enterprises’ sanctioned apps, which represent less than five percent of total cloud usage. Given this, we believe that both malware, and this fan-out effect, are far more widespread than the 4.1 percent we observed. As we begin applying this research to unsanctioned apps in our cloud access security broker, we’ll report on what we find in future reports.
What do we recommend to combat this? Five things:
1. Back up versions of your critical content in the cloud. Enable your app’s “trash” feature and set the default purge to a week or more
2. Scan for and remediate malware at rest in your sanctioned apps
3. Detect malware incoming via sanctioned and unsanctioned apps
4. Detect anomalies in your sanctioned and unsanctioned cloud apps, such as unusual file upload activity or other out-of-the-norm behaviors
5. Monitor uploads to sanctioned and unsanctioned cloud apps for sensitive data, which can indicate exfiltration in which malware is communicating with a cloud-based command and control server