Cybercriminals targeting cloud services amid shift to remote working

Attackers are increasingly hitting collaboration services such as Microsoft 365 to access cloud accounts with stolen credentials, says McAfee.

Google Cloud VP: Strong encryption makes working from home safer

The move to remote working spurred by the coronavirus pandemic has triggered a surge in the use of cloud services. Such virtual meeting and collaboration platforms as Microsoft 365, Microsoft Teams, Zoom, Cisco's Webex, and Google Hangouts have all seen increased demand. But that trend has also made these services and their users more of an open target for cybercriminals looking to capture or exploit account credentials. The "Cloud Adoption and Risk Report" released Wednesday by McAfee shows how attackers are taking advantage of cloud services and what organizations can do to better protect themselves.

Based on cloud-usage data from 30 million McAfee MVISION cloud users between January and April 2020, the security provider found a 50% increase overall in the use of cloud services. Some of the largest gains have been seen with Webex, Zoom, Microsoft Teams, and Slack across such industries as manufacturing, education, real estate and construction, government, and financial services.

A rise in cloud access has also been observed from unmanaged devices, typically personal devices owned by the user and not approved or managed by IT.

SEE: Coronavirus: Critical IT policies and tools every business needs (TechRepublic Premium) 

The volume of cyberthreats against cloud services has shot up by 630% since the start of the year, with the greatest focus on collaboration tools such as Microsoft 365. Many of the attacks are likely opportunistic, meaning they're using stolen account credentials for password spraying campaigns. These threats fall into two types of categories as named by McAfee:

  • Excessive use from an anomalous location. In this instance, the access comes from a location not previously detected and atypical to the user's organization. The attacker tries to access a high volume of data, in some cases using privileged accounts.
  • Suspicious superhuman. In this case, the login attempts come from multiple locations within a short period of time, covering distances that would be impossible to travel so quickly. As one example, the same user account tries to sign into Microsoft 365 in Singapore and then signs into Slack in California just five minutes later.
external-cloud-threats-mcafee.jpg

Cloud threat events across all industries.

Image: McAfee

Among targeted industries, transportation and logistics were hit by the largest increase in cyberthreats, followed by education, government, manufacturing, financial services, and then energy and utilities. Based on IP address, the top countries from which the attacks stem include Thailand, the US, China, India, Brazil, Russia, Laos, Mexico, New Caledonia, and Vietnam. The top ten are all outside of Europe, which as McAfee points out, is home to some of the tightest data protection laws in the world.

"The risk of threat actors targeting the cloud far outweighs the risk brought on by changes in employee behavior," Rajiv Gupta, senior vice president of Cloud Security for McAfee, said in a press release. "Mitigating this risk requires cloud-native security solutions that can detect and prevent external attacks and data loss from the cloud and from the use of unmanaged devices. Cloud-native security has to be deployed and managed remotely and can't add any friction to employees whose work from home is essential to the health of their organization."

To help organizations rethink and tighten their cloud security, McAfee offers the following suggestions:

  1. Think cloud-first. A cloud-centric security mindset can support the increase in cloud use and combat cloud-native threats. Enterprises need to shift their focus to data in the cloud and to cloud-native security services so they can maintain full visibility and control with a remote, distributed workforce.
  2. Consider your network. Remote work reduces the ability of hub-and-spoke networking to work effectively with scale. Network controls should be cloud-delivered and should connect remote users directly to the cloud services they need.
  3. Consolidate and reduce complexity. Cloud-delivered network security and cloud-native data security should smoothly interoperate, ideally being consolidated to reduce complexity and total cost of ownership and increase security effectiveness and responsiveness.
  4. Implement a cloud-based secure web gateway so that corporate devices are protected against web-based threats without requiring routing through a VPN.
  5. Allow employees to connect to sanctioned cloud services from their corporate devices without using their VPN by protecting data with a cloud access security broker (CASB).
  6. Set the policy in your CASB so that cloud services have device checks and data controls and are protected from attackers who can access Software as a Service (SaaS) accounts over the internet.
  7. Let employees use their personal devices to access corporate SaaS applications to maintain productivity, with conditional access to sensitive data in the cloud.

Also see

Safe secure cloud computing information technology mobile internet network technology

Image: Rick_Jo, Getty Images/iStockphoto