This past month has been tumultuous for cloud threats. In the latest monthly Netskope Threat Labs Report, the data confirmed that threat actors’ abuse of cloud services continued relentlessly. In February, 65% of malware was downloaded from a legitimate cloud app, in line with the average value of the past 12 months (after the peak of 80% achieved in February 2021). In terms of the most exploited services, Google Drive has declined for the fifth month in a row, reaching a 12-month low. This trend was probably driven by the additional protections that Google has recently put in place to warn users when they open potentially malicious content. That’s precisely the opposite of what happened to Microsoft OneDrive, which is steadily leading the unwelcome chart of the most exploited services, reaching a 12-month high with a 45% share.
Even though Microsoft and Google services together account for 82% of the malware downloads across all cloud apps, they are not the only services to be exploited for malicious purposes. In fact, the distribution of malicious content is just one-way threat actors can abuse a cloud service.
Consider as an example Microsoft OneDrive. Not only does it firmly hold the scepter of the most commonly abused cloud service to deliver malware, but it’s also interesting to note that state-sponsored actors increasingly abuse its API to host Command and Control (C&C) infrastructures for cyber-espionage campaigns. In fact, the weaponization of legitimate cloud services for C&C is an increasingly common trend in cyber espionage campaigns, and most importantly, it is not limited to OneDrive.
More Cyber Espionage Campaigns Are Exploiting Legitimate Cloud Services for their Command and Control Infrastructure
The Russian cyber-espionage group APT28 (AKA Fancy Bear) has always been at the forefront of cloud-native threats, having been among the first advanced persistent threat (APT) groups to understand the potential of cloud services as both targets and launchpads of evasive attacks.