Luiz - Fotolia

McAfee: Attacks on cloud accounts up 630% during COVID-19

Between January and April amid the COVID-19 pandemic, McAfee found usage of cloud collaboration apps and attacks seeking to steal account credentials both skyrocketed.

External attacks on corporate cloud accounts rose 630% between January and April, according to new research from McAfee.

McAfee's "Cloud Adoption & Risk Report -- Work-from-Home Edition," released today, found that over the same time period, overall enterprise use of cloud services increased by 50%, and use of collaboration services such as Cisco Webex, Microsoft Teams, Slack and Zoom increased up to 600%. The security vendor attributed much of those increases to the COVID-19 pandemic.

"All of our lives have changed over the last four months, and we wanted to see how it's impacted the usage cloud in particular and if we're seeing any trends compared to what would have happened if it was business as usual," McAfee vice president and fellow Sekhar Sarukkai told SearchSecurity.

Unfortunately, threat actors have also turned their attention to cloud services during the pandemic. Researchers reviewed anonymized data from more than 30 million users of McAfee MVision Cloud, the vendor's cloud access security broker (CASB) offering, over the four-month span. The data showed the 630% increase in external attacks predominantly involved stolen credentials for cloud accounts, with collaboration services being the most popular targets. The report also noted that internal or insider threat activity remained the same during this same period.

McAfee broke down the threat activity into two categories: excessive usage from anomalous locations and "suspicious superhuman." The former involves logins from a region not previously recognized by the organization, while the latter involves multiple logins from geographically distant locations that would be impossible to travel between during a given time period. The report said many of these logins are "likely opportunistic" attacks such as password spraying.

Researchers also analyzed the IP addresses behind the cloud account attacks and found the top five regions for those addresses were Thailand, the U.S., China, India and Brazil. In addition, the report said the transportation and logistics industry was the most popular vertical for attackers, followed by education and government.

Sarukkai said the pandemic has introduced an inflection point.

"Whenever you see disruption in society, the first location where the bad actors are trying to go and exploit gives you an indication on where the largest threats are going to emerge," he said. "And clearly, we're seeing that probably for the first time ever, attacks in the cloud are happening at a more significant rate than the enterprise network."

Protecting cloud accounts

VPNs are staple enterprise security programs, especially when it comes to working from home. And while VPN usage has skyrocketed during the pandemic, Sarukkai argued that technology doesn't help at all when it comes to protecting cloud accounts.

"The first thing is, they don't help with unmanaged devices. They don't help when cloud services are considered to be accessible from any location, so you can have controls here but if you've not set up your collaboration service to restrict access only from your enterprise, it doesn't help," he said. "And if you only use these collaboration services to collaborate with third parties, you can't necessarily put on a strong filter to get traffic only from your IP range, so you leave it open, which means anyone can access it. So VPNs give you more visibility into people you expect are behaving well. It does not address the problem of bad actors accessing your cloud."

According to the report, there's been a 2X increase this year in cloud traffic from unmanaged devices, which refers to any device not managed by the enterprise itself such as a personal laptop or mobile device. In addition to using VPNs, McAfee recommended secure web gateways and CASBs to defend against attacks on cloud accounts. In addition, the vendor advised security teams to monitor cloud account activity and craft policies that require logins in from authorized devices and provide conditional access for sensitive data

Sarukkai predicted there will be more threats around data and applications in the cloud "if that's not already the case."

"When you're looking for threats, it's important to look across your entire IT stack, all the way from your endpoint, your network, to the cloud."

Dig Deeper on Cloud Provisioning and Cloud Identity Management Issues