Malware in the Cloud 101

By Todd Clarke, revised-edited by Bachir El Nakib

Malware is a shorthand and umbrella term that describes all malicious software — or any software program that intentionally acts against the requirements of the computer user. Because of its umbrella-like designation, malware also refers to pretty much any form of hostile or intrusive software, including: computer viruses, worms, trojan horses, ransomware, spyware, adware, scareware, and so on.

While the name and application of different malware varies, each aim to do something sinister to your operating system, including damaging or disabling computers, computer systems, and mobile operations or gaining access to private computers, gathering sensitive information, and displaying unwanted advertising.

What Malware Tries to Accomplish:

  • Steal Personal Information
  • Steal Financial Information
  • Steal Business Information
  • Steal Guarded Information
  • Disrupt Operations
  • Sabotage Operations
  • Monitor Users’ Web Browsing
  • Display Unsolicited Advertisements
  • Redirect Affiliate Marketing
  • Demand Payment of Users
  • Control a Computer for Illicit Purposes

Where Malware Hides

Malware generally has a criminal purpose (rather than strictly sabotage), but it’s important to understand just how sneaky and sophisticated it can be. And, while it’s primarily found in e-mail and the via the web, malware can also be hidden and packaged with user-installed software updates and through social media scams.

The Growth of Malware

The use of malware is unfortunately growing. In 2008 it was suggested that the creation of malicious code and software was outpacing legitimate software programs, and in 2015, CNN Tech reported that “nearly 1 million new malware threats were released each day.”

Defend Your Company Against Malware

 As it becomes increasingly hard for individuals and businesses to stay safe online — and as hackers become more creative — it’s more important than ever to make sure that your computer system (or network of systems) isn’t vulnerable to an attack. 

Companies have underestimated the scope of cloud adoption by nearly 10 times. Its rapid rise has created a new effect: a “cloud attack fan-out.” With so many devices now connected to the cloud, the attack surface has increased. Sync and share activities have increased data velocity in the cloud, and the propensity for, and severity of, malware attacks have intensified.

Working in cybersecurity, this is not breaking news. But with all the hype surrounding cloud security, how concerned should we be about malware aimed at public, private and hybrid clouds?

Cloud-hosted malware is prevalent in popular cloud apps, such as Box, Dropbox, Office 360 and Google Drive, which are used every day by millions of people. File-hosted repositories like these are prime targets for phishing emails, providing links to infected files and to malicious JavaScript on web pages, directing users to download infected files.

And, of course, there’s ransomware, droppers and plenty of others.

Netskope reported that nearly 44 percent of malware in enterprise cloud apps delivered ransomware. More concerning, 56 percent of malware-infected files in cloud apps are shared with internal or external users, or even publicly.

Enterprise users allow access to files each day while doing their work, not thinking about the security implications downstream. This is how we currently work in the age of the cloud — and attackers exploit this.

Up to 77 percent of the cloud storage apps we use every day are not yet “enterprise ready.” It’s even worse for other types of cloud services. Cloud providers are often pressured to meet minimum security requirements  to “get in the door” and start collecting revenue. Security is simply an “add on” as they further develop the product.

Easy to see how security holes develop, right?

We’ve created an ecosystem users love. But attackers love it more.

Sure, most cloud providers are quick to respond to incidents and emerging threats by removing malicious files and closing down accounts. But this becomes a scalability issue. There’s only so much a limited amount of support people  and resources can do. Is more automation needed? Absolutely. But there is still more to do than we can currently handle.

The role of shadow IT

While many security professionals have been anti-shadow IT, most now see its prevalence as an opportunity to leverage employees to improve enterprise security.

 A Skyhigh Networks study shows:

  • Shadow IT is at least 10 times the size of known cloud usage
  • 72 percent of companies don’t know how prevalent shadow IT is in their own company
  • The average organization uses 1,427 different cloud services and 57 different file sharing services
  • The average employee uses 30 cloud services
  • Only 8.1 percent of more than 17,500 cloud services used in enterprises meet strict data security and privacy requirements
  • 80 percent of workers admit to using SaaS applications at work, approved or not

 With cloud usage growing four times faster that IT staffing (at 27 percent annually, compared to 6.7 percent for IT), IT is not equipped to handle the shadow IT spike in use.

IT is no longer able to best manage the physical infrastructure of apps either. Yet, IT is still responsible for ensuring security and compliance for the corporate data that employees upload to the cloud.

 Many IT shops block cloud apps, at least the ones they know about. The big hurt here: people will find, and use, other lesser-known, potentially riskier apps in their place. Ouch.

Consider these questions to help you plan for a more secure cloud services solution:

  • Which services are your people using?
  • What are the categories for those services (e.g., file sharing, social media, collaboration)?
  • Which services are becoming popular and, thus, should be considered for enterprise-wide adoption?
  • How effective are your firewalls and proxies at identifying cloud services and enforcing acceptable policies?
  • Which redundant services should be eliminated?
  • How can you quantify risks and compare to industry peers?
  • What are the security capabilities for services storing sensitive data?

The usual suspects

 Ransomware: Ransomware is certainly a hot topic these days. It seems primed to continue to be the biggest malware player for a while. It took in a billion dollars in 2016. With that kind of payoff, you can bet there’ll be more of these cyber criminals getting into the game. Ransomware is a sophisticated piece of malware that blocks victims’ access to their files. The only way to regain access to the files is to pay a ransom. Encryptors block system files. Lockers lock victims out of the operating system, making it impossible to access their own desktop, apps and files.

This type of malware is most intrusive when it lives on servers and cloud-based file-sharing systems, accessing a business’s core. Businesses, financial institutions, government agencies, academic institutions, healthcare organizations and other types of organizations can and have been infected with ransomware. This destroys sensitive or proprietary information, disrupts daily operations and, of course, inflicts financial losses. Attackers aim at targeted files, databases, CAD files and financial data. Ransomware can also harm an organization’s reputation or, in the case of healthcare, harm lives.

It is easy to understand why this is such a lucrative business model for criminals.

Droppers: Droppers are a Trojan type of malware. Droppers gain a foothold on a computer, to exploit known vulnerabilities, then deliver a second-stage payload to inflict damage. They learn and adapt. You can think of a dropper as a malware package.

Email: Email is still a major attack vector used to target businesses. Cybercriminals use spam email to infect end users with information-stealing malware, file-encrypting ransomware and credential-stealing phishing attacks. Email-borne attacks are still highly profitable. The attacks require little effort and criminals are able to bypass security controls by targeting end users.

How do ransomware hackers collect? They use Bitcoin or another type of cryptocurrency.  Bitcoin is a secured, distributed payment system. Most ransomware attackers display the amount of the fee in Bitcoins. Victims transfer the money from account A into account B, which anyone can see. But no one knows who owns those accounts or is conducting the traffic between those accounts. Bitcoin breaks the original payment into several parts, then sends them on to different accounts, using multiple transfers. This makes catching any attackers nearly impossible.

A decade ago, malicious hackers may have enjoyed creating corporate havoc, just for the fun of it. Today, it’s big business.

Expert advice

Andrew Hay, CTO at LEO Cyber Security, suggests information security professionals step back to look at your security program as a whole:

  • Do you have coverage for the prominent data theft occurring these days?
  • Do you have backups for critical systems?
  • Can you restore those backups?
  • Have you tested those backups?

In other words: Can you maintain business continuity in the face of an attack?

Often, only the most mature organizations have robust plans in place. Even then, many of those companies have allowed their plans to become stale. Now is the time to go through your policies, plans, procedures and guidelines to determine if you are measuring the right things for the success of your security programs. Perhaps it’s time to analyze and rewrite your cloud security plans?

Ben Eu, a partner within the infrastructure and endpoint security practice at IBM, places an emphasis on endpoints and a zero-trust architecture. More than ever, workers use laptops and other portable devices outside of the corporate network. Therefore, we can better understand and optimize the data flow between these endpoints. Cyber threat modeling can help develop a list of the different types of attacks, learn how attackers gained access, then determine how to remove this threat type.

Heat maps also help. Use these to show areas having coverage (including multiple coverage) and areas with no coverage. Consider appropriate software apps to help cover any holes, or perhaps a new security stack altogether.

Some steps to start on a path to zero trust:

  • Identify your sensitive data before investing in security controls. Once done, make the data classification useful … and simple.
  • Map how your sensitive data flows across the network and between users.
  • Architect your network to see how transactions flow and how users and applications access unsanctioned data. Identify areas to optimize, such as physical vs. virtual gateways, for example.
  • Automate rules to enforce access control and limit access on a need-to-know basis.
  • Continuously monitor to log and inspect all traffic for malicious activity and areas of improvement. Internal traffic should be held to the same standard as external traffic.

Todd Clarke is a freelance writer based in Seattle, Wash. This is his first article for Cloud Security Insights.

Download File