A report from Netskope Threat Labs has warned that threat actors are increasingly using cloud apps to target healthcare organisations with cloud malware delivery – rising from 38% to 42% in the past 12 months.
Despite the increase, healthcare has a reasonably low number of cloud malware downloads, when compared to other sectors. At the bottom end of the scale, the technology industry averaged 37% cloud malware downloads, compared to healthcare’s 40% average. In contrast, the telecom industry averaged 79% malware sourced from the cloud.
The report identified how attackers are most commonly targeting popular enterprise apps like Microsoft OneDrive. In the past year, the popular cloud app represented 17% of all cloud malware downloads within healthcare organisations.
Its widespread adoption within healthcare makes it a prime target for attackers who are seeking to attack a wide variety of organisations using the same toolset. It also makes it more likely that the malicious payloads would reach their targets.
Last year a major cyber attack left some trusts without access to all of Advanced’s health and care solutions, after attackers deployed LockBit 3.0 malware.
With the growing use of cloud applications, more data is being uploaded to and downloaded from a wide variety of cloud-based apps. This allows attackers to evade security controls that rely primarily on domain block lists and URL filtering, as well as those that do not inspect cloud traffic.
Netskope Threat Labs make a number of recommendations to help healthcare organisations review their security posture to ensure they’re adequately protected.
- Inspecting all HTTP and HTTPS downloads, including all web and cloud traffic, to prevent malware from infiltrating networks.
- Ensuring high-risk file types, such as executables and archives, are thoroughly inspected using a combination of static and dynamic analysis before download.
- Configuring policies to block downloads from apps and instances not used in the organisation, to reduce risk surface.
- Configuring policies to block uploads from apps and instances not used in the organisation, to minimise the risk of accidental or deliberate data exposure.
- Using an Intrusion Prevention System (IPS) to identify and block malicious traffic patterns, preventing further damage by limiting the attacker’s ability to perform additional actions.