Netskope Threat Labs publishes a quarterly summary blog post of the top threats we track on the Netskope platform. This post aims to provide strategic, actionable intelligence on active threats against enterprise users worldwide.
Resumen
- OneDrive and SharePoint were on the top of the list of top cloud apps used for malware downloads. GitHub takes third place, being used quite often to download post-exploitation tools.
- The top malware families active in the past quarter included the Infostealer AgentTesla and the Trojan ZLoader.
Entrega de malware en la nube
Attackers attempt to fly under the radar by delivering malicious content via popular cloud apps. Abusing cloud apps for malware delivery enables attackers to evade security controls that rely primarily on domain block lists and URL filtering or don’t inspect cloud traffic.
Los atacantes logran el mayor éxito en llegar a los usuarios empresariales cuando abusan de las aplicaciones en la nube que ya son populares en la empresa. Microsoft OneDrive, la aplicación empresarial en la nube más popular, ha vuelto a ocupar el primer puesto en descargas de Malware, que ha mantenido durante más de seis meses.
The top three apps have remained largely unchanged compared to the apps used in the last quarter. When comparing the app usage of this quarter with our last report we noticed a slight increase of SharePoint and GitHub usage. For GitHub specifically the Threat Labs team has been observing it being used to download post-exploitation tools such as Mimikatz and Sharphound. These tools are a good indicator to tell that a threat actor might be already in the environment and that some action needs to be performed in the network.
The top 10 list below reflects attacker tactics, user behavior, and company policy.
Top Malware Families
The following list contains the top malware families blocked by Netskope between April 1 and July 1:
- Downloader.Guloader is a small downloader known for delivering remote access Trojans and infostealers, such as AgentTesla, Formbook, and Remcos.
- Infostealer.AgentTesla is a .NET-based remote access Trojan with many capabilities, such as stealing browsers’ passwords, capturing keystrokes, clipboard, etc.
- RAT.AsyncRAT is an open-source remote administration tool released on GitHub in 2019, designed to remotely control computers via encrypted connection.
- Trojan.ZLoader (a.k.a, DELoader) is a modular trojan based on the leaked ZeuS source code. The malware is capable of performing tasks like capturing screenshots, stealing banking information, providing VNC access, and more.
- Trojan.Grandoreiro is a LATAM banking trojan with the goal of stealing sensitive banking information, commonly targeting Brazil, Mexico, Spain, and Peru.
Recomendaciones
Attackers have always sought to evade detection and avoid suspicion in delivering malware. Netskope Threat Labs recommends that you review your security posture to ensure that you are adequately protected against both of these trends:
- Inspeccione todas las descargas HTTP y HTTPS, incluido todo el tráfico de Web y de la nube, para evitar que Malware se infiltre en su red. Netskope los clientes pueden configurar su Netskope NG-SWG con una Política de protección frente a amenazas que se aplica a las descargas de todas las categorías y se aplica a todos los tipos de archivos.
- Asegúrese de que los controles de seguridad inspeccionen de forma recursiva el contenido de los archivos de almacenamiento populares, como los archivos ZIP, en busca de contenido malintencionado. Netskope Advanced Threat Protection inspecciona recursivamente el contenido de archivos comprimidos, incluidos ISO, TAR, RAR, 7Z y ZIP.
- Asegúrese de que los tipos de archivos de alto riesgo, como los ejecutables y los archivos comprimidos, se inspeccionan mediante análisis estáticos y dinámicos antes de ser descargados. Los clientes deNetskope Advanced Threat Protection pueden utilizar una Política de Prevención de Paciente Cero para retener las descargas hasta que hayan sido completamente inspeccionadas.
- Configure policies to block downloads from apps that are not used in your organization to reduce your risk surface to only those apps and instances that are necessary for the business.
- Configure policies to block download of known post-exploitation tools that are not used in your organization and generate a high risk alert if an unauthorized tool is downloaded since this one might indicate the later phases of an attack.
- Block downloads of all risky file types from newly registered domains and newly observed domains.
Además de las recomendaciones anteriores, la tecnología Remote Browser Isolation (RBI) puede proporcionar una protección adicional cuando exista la necesidad de visitar sitios web que pertenezcan a categorías que presenten un mayor riesgo, como Dominios Recién Observados y Dominios Recién Registrados.
Acerca de este informe
Netskope provides threat and data protection to millions of users worldwide. Information presented in this report is based on anonymized usage data collected by the Netskope Security Cloud platform relating to a subset of Netskope customers with prior authorization. This report contains information about detections raised by Netskope’s Next Generation Secure Web Gateway (SWG), not considering the significance of the impact of each threat. Stats in this report are based on the period starting April 1, 2024 through July 1, 2024. Stats reflect attacker tactics, user behavior, and organization policy.