Google Drive accounted for the most malware downloads from cloud storage sites in 2021

Google took over the top spot for malicious downloads from Microsoft OneDrive as attackers created free accounts, uploaded malware and shared documents with unsuspecting users, says Netskope.

Drawing of Google Drive logo, with words "for desktop" below it, with a drawn Windows and Apple logo below the words.

Illustration: Andy Wolber/TechRepublic

The more that cybercriminals can take advantage of a legitimate service, the better their chances of tricking people into falling for their scams. That's why popular services from the likes of Google and Microsoft are exploited in malicious attacks. In fact, Google Drive ended 2021 as the most abused cloud storage service for malware downloads, according to security provider Netskope.

SEE: Social engineering: A cheat sheet for business professionals (free PDF) (TechRepublic)  

In its "January 2022 Cloud and Threat Report" released Tuesday, Netskope noted that cloud storage apps gained even greater adoption in 2021. For the year, 79% of the customers analyzed used at least one cloud storage app, up from 71% in 2020. The number of cloud storage apps in use also rose. Organizations with 500 to 2,000 employees used 39 different cloud storage apps last year, up from 35 the prior year.

This increased use of cloud applications has naturally excited cybercriminals, who have eagerly abused these apps to deploy malware. For 2021, cloud storage apps accounted for 69% of cloud-based malware downloads, down only slightly from 72% in 2020. These services are ready-made targets for exploitation as attackers can easily create free accounts, upload their infectious payloads and then share malicious documents with potential victims.

For the year, Google Drive took the top spot from Microsoft OneDrive as the cloud storage app with the greatest number of malicious downloads, accounting for 37% of them. OneDrive fell to second place with 20% of the recorded malware downloads. Rounding out the top five were SharePoint with 9%, Amazon S3 with 6% and GitHub with 3%.

Last year's results contrast with those of 2020, in which OneDrive was the most exploited cloud storage app for malicious downloads with 29%, followed by Box with 17%, Amazon S3 with 15%, SharePoint with 13% and Google Drive with just 9%.

Beyond evidence of Google's increasing popularity, there are other reasons why Google Drive surpassed other services in malware downloads last year, according to Netskope. In 2020, the Emotet botnet used Box to deliver most of the malicious Office document payloads. But with Emotet taken down by global law enforcement in early 2021, this activity was dormant for most of the year. To pick up the slack, attackers trying to duplicate the success of Emotet turned to Google Drive to share malicious Office documents.

With cloud-based storage apps such a tempting target for exploitation, how can individuals and organizations protect themselves against malicious documents? Netskope offers the following tips:

  1. Use single sign-on (SSO) and multi-factor authentication (MFA) for both managed and unmanaged apps. Implement adaptive policy controls for step-up authentication based on user, device, app, data and activity.
  2. Implement multi-layered, inline threat protection for all cloud and web traffic to block malware from reaching your endpoints and to prevent outbound malware communications.
  3. Set up granular policy controls to protect your data. Such controls should track and manage data moving to and from apps as well as between your organization and personal instances, including IT, users, websites, devices and locations.
  4. Use cloud data protection to secure sensitive data from internal and external threats across web, email, SaaS, shadow IT and public cloud services. Adopt security posture management for Software as a Service (SaaS) and Identity as a Service (IaaS) models.
  5. Set up behavioral analysis to scan for insider threats, data exfiltration, compromised devices and compromised credentials.

"The increasing popularity of cloud apps has given rise to three types of abuse described in this report: attackers trying to gain access to victim cloud apps, attackers abusing cloud apps to deliver malware, and insiders using cloud apps for data exfiltration," Netskope Threat Labs threat research director Ray Canzanese said in a press release. "The report serves as a reminder that the same apps that you use for legitimate purposes will be attacked and abused. Locking down cloud apps can help to prevent attackers from infiltrating them, while scanning for incoming threats and outgoing data can help block malware downloads and data exfiltration."

Also see

By Lance Whitney

Lance Whitney is a freelance technology writer and trainer and a former IT professional. He's written for Time, CNET, PCMag, and several other publications. He's the author of two tech books--one on Windows and another on LinkedIn.