Attacks on Cloud Services Increased by 630% Between January and April

COVID-19 has forced businesses to close their offices and allow employees to work from home. Cloud services have been provisioned to support home working and communication solutions such as Zoom, Cisco WebEx, and Microsoft Teams have allowed remote workers in collaborate effectively.

A recently published report from cybersecurity company McAfee shows business use of cloud services increased by 50% in the first 4 months of 2020 and collaboration services saw an increase of 600% in usage during the same period. These solutions have allowed businesses to continue to operate, and many have reported productivity has actually improved during the pandemic; however, the rapid change to a largely at-home workforce has introduced vulnerabilities and cybercriminals have taken advantage.

Attacks on Cloud Services Have Surged During the Pandemic

An analysis of data from over 30 million McAfee cloud customers revealed cyberattacks on cloud services increased by 630% between January and April, 2020.

Threats to cloud services were split into two main categories: Excessive usage from an anomalous location and suspicious superhuman. The first involves logins from a location not previously detected. The threat actor then initiates high-volume data access and privileged access activity. Suspicious superhuman is the name given to a login attempt from one location followed by another from a geographically distant location, in a time frame shorter that the minimum time to travel from one location to the other.

McAfee’s analysis indicates the majority of attacks on cloud services are opportunistic rather than targeted and mostly consist of password spraying attacks, where stolen credentials are used to try to gain access to cloud resources.

Targeted attacks tend to be conducted by threat actors in China, Iran, and Russia. These hackers have extensive infrastructure and are well funded and can therefore conduct high volumes of attacks. The McAfee Cloud Adoption & Risk Report confirmed the healthcare industry has been heavily targeted during the pandemic and is the second most targeted vertical behind the financial services. 198 million IP addresses in Russia (111M), China (73M), and Iran (14M) were used in attacks on the healthcare industry during the first four months of 2020. The high number of attacks shows why it is important for healthcare providers to continuously monitor cloud activity and block attempts by malicious actors to gain access to their sensitive cloud data.

Working from home without direct supervision has not increased insider threats, according to McAfee. Insider threats have remained at the same level as before the pandemic. The rise in attacks on cloud services is mostly due to external actors.

Change in Business Operations Requires Changes to Security Solutions

The problem for many businesses is they have adopted cloud services to support remote working but are still using legacy security and networking solutions in a hub and spoke network. While these cloud services can be accessed directly, many organizations require employees to login to their network infrastructure to access those services, often through a VPN.

Unfortunately, while the VPN solutions that have been implemented prior to the pandemic were fine for small numbers of employees, they have struggled to cope with such a rapid increase in remote employees. Connection issues has meant many employees have experienced difficulties accessing data through VPNs. As a result, employees often take shortcuts and access cloud services such as Microsoft 365 directly. That means they bypass the security solutions in the organization’s data center, which increases risk.

“Securing a remote workforce shifts the major security focus control points to the device and cloud. A cloud-native approach to delivering security will provide the most complete coverage, capable of reaching devices off-network and connecting to cloud services directly,” explained McAfee.

McAfee recommends using a cloud-based secure web gateway to protect against web-based threat and permitting users to connect to sanctioned cloud services directly, rather than requiring the use of a VPN with data protected using a cloud access security broker (CASB). The CASB can be configured to perform device checks, implement data controls, and protect against attackers who can access SaaS accounts via the internet, including multi-factor authentication to reduce the risk of stolen credentials from being used to access cloud resources.

Author: Steve Alder has many years of experience as a journalist, and comes from a background in market research. He is a specialist on legal and regulatory affairs, and has several years of experience writing about HIPAA. Steve holds a B.Sc. from the University of Liverpool.