Netskope Threat Labs: Threat actors hone in on cloud apps in the telecoms industry

Netskope Threat Labs has published its latest research report, revealing an increasing trend of attackers abusing popular enterprise apps to deliver malware to victims in the telecoms industry. This rising trend is against a backdrop of continued increase in cloud app adoption in the sector, where users engage strongly with a small selection of popular apps, including Microsoft. Tracking with this increased use of cloud apps, telecoms is the biggest victim of cloud-sourced malware by a considerable 7% margin compared to other industries.

Key findings include:

  • Cloud app adoption:
    • Users in the telecoms industry upload and download files to cloud apps at a similar rate to other industries, but tend to interact with fewer cloud apps on average.
    • The average user in telcos interacts with 24 cloud apps per month, with a strong preference for Microsoft apps. Microsoft OneDrive, Teams, and Outlook are the industry’s top three most popular apps.
    • Microsoft OneDrive is also the most popular app for uploading data, with 30% of telecom industry users uploading data to OneDrive daily, 50% more than the average across all industries. Similarly, Microsoft OneDrive is the most popular app for downloads in the telecoms industry, with 35% of users downloading from it.
  • Cloud app abuse:
    • The percentage of malware downloads from telco industry users fell in line with the global trend, bottoming out in the second half of 2023 and beginning to increase again in early 2024.
    • Organisations in the telecoms industry are the biggest victims of cloud-sourced malware by a considerable 7% margin compared to other industries.
    • Microsoft OneDrive and GitHub had the most malware downloads, followed by Outlook. The other apps in the top 10 are similar to those in other industries with only minor differences, including more malware downloads from SourceForce, the open-source software development website and Google Cloud Storage.
  • Malware and ransomware: Among the most prevalent malware families targeting organisations in the telecoms industry were the remote access Trojan Remcos, the downloader Guloader, and the infostealer AgentTesla.

Speaking on the findings, Paolo Passeri, Cyber Intelligence Principal at Netskope said;

“Users in the telecoms industry tend to interact with fewer cloud apps in comparison to other verticals, yet the percentage of malware delivered from the cloud is 7 points higher than the other sectors. This indicates that employees within the sector have a more open attitude to cloud services and this inevitably reflects in a wider exposure to threats. They are more familiar with online tools such as cloud apps and this figure shows that threat actors tend to exploit this familiarity.

“This open attitude towards online services is also visible in the malware families that target telecoms users. In comparison to other verticals, there are many more malware families targeting this sector, with a wide range of threats spanning from IoT (the omnipresent Mirai) to downloaders (BanLoad and Guloader), banking trojans (Grandoreiro), infostealers (such as AgentTesla and Redline), and phishing bait PDF documents.

“Interestingly many of these threats are characterised by the exploitation of authentic and well reputed cloud services throughout different stages of the attack chain: Guloader stores the encrypted payload on legitimate cloud services such as Microsoft OneDrive or Google Drive, Grandoreiro often abuses Microsoft Azure (but also AWS and Google) to deliver the final payload, and even phishing bait PDF documents are often hosted on legitimate cloud storage service to seem more realistic and legitimate.”

The report is based on anonymised usage data collected about a healthcare sector subset of Netskope’s 2,500+ customers, all of whom give prior authorisation for their data to be analysed in this manner.

For the full report, contact Afreen, +91 9353242530,