Cloud malware leads to high-speed impact

During the CSA Summit at At RSA’s 2016 Conference, Netskope warned how cloud synchronization services can spread malware infection throughout an enterprise.

SAN FRANCISCO -- While cloud apps themselves are rarely breached or directly infected with malware, Netskope says they've proven to be a major asset to threat actors looking to spread malicious attacks to as many users and organizations as possible.

Krishna Narayanaswamy, chief scientist at cloud access security broker Netskope, discussed those cloud malware threats during his keynote presentation at the Cloud Security Alliance Summit during Monday's pre-event activities at RSA Conference 2016. Narayanaswamy presented research that described a "fan out" effect where malicious files or code infect a single user's client device and are able to spread quickly through cloud services.

Netskope looked at hundreds of different sanctioned cloud apps used by more than 500 of its customers to measure "the prevalence of malware in cloud applications." While the research found that only 4.1% of cloud apps contained some kind of malware, Netskope determined there was a bigger problem lurking behind the scenes.

"This is pretty significant because one of the channels that people are not aware of, which is the cloud, can have a pretty serious effect on the spread of malware," Narayanaswamy said.

Infectious cloud malware

Specifically, Netskope found that the small amount of cloud malware detected in cloud apps was able to infect many more users beyond the initial infected device through file sharing and cloud synchronization services. "Some of those files are in sync folders, and guess what? Our sync folders are set up to sync directly to the cloud," he said. "This is what we call the "fan out" effect of malware in the cloud."

Narayanaswamy presented a case study of an enterprise client that inadvertently spread ransomware through a cloud app; a hiring manager was hit with a ransomware infection through a resume file that had been received via email. But the file was then moved to a folder that automatically synchronized with a cloud app, which delivered the file to other users within the organization. Once the resume file was opened by a user, the ransomware executed and encrypted each individual device or system. Instead of affecting just the initial user, Narayanaswamy said, the ransomware spread quickly to other users and endpoints that were connected to that cloud synchronization service.

"In this case, the lateral movement of malware is pretty much automated [with cloud synchronization]," Narayanaswamy said. "The effect of this malware spreads in a matter of seconds."

Preventing cloud malware

While many enterprises are worried about what's going out from their cloud services, Narayanaswamy said companies also need to worry about what's coming into the services to prevent cloud malware from spreading across the user base. In addition to taking basic precautions, such as regularly backing up data and monitoring cloud apps for anomalous behavior or signs of data exfiltration, Narayanaswamy urged enterprises to take additional steps such as enabling the automatic deleting or trashing of cloud files that have been overwritten. That way, he said, a file that is potentially harmful won't be allowed to linger indefinitely inside the cloud service and put additional users at risk.

Next Steps

See tips for tackling cloud-based app security.

Learn the three best practices in cloud app security.

Examine the merits of cloud malware analysis tools.

Dig Deeper on Cloud Security Services: Cloud-Based Vulnerability Scanning and Antivirus