40% of Malware Infections in Healthcare Originate from Cloud Apps
Microsoft OneDrive is the most popular cloud app in healthcare, and it is also one of the most popular for malware downloads, according to the latest Netskope Threat Labs Report for the healthcare industry. Healthcare workers typically use 22 apps each month, and 42% of healthcare workers use OneDrive on any given day. The popularity of cloud apps makes them ideal vehicles for malware delivery and since OneDrive is the most commonly used cloud app, threat actors abuse it more than other apps for delivering malware. Other cloud apps and instances that are commonly used to deliver malware include GitHub, Outlook.com, Weebly, Azure Blob Storage, DocPlayer, Google Drive, Amazon S3, SharePoint, and Zendesk. Across all industry sectors, SharePoint is commonly abused to deliver malware but much less so in healthcare because it is used much less frequently. Netskope explained that the more often a cloud app is used, the more likely a user is to open a file that has been shared with them via that app.
By abusing cloud apps to deliver malware, threat actors can evade security controls such as domain block lists and security solutions that do not inspect cloud traffic. According to Netskope’s data, almost 40% of all malware downloads in the healthcare industry originate from cloud apps, up from 30% in 2023. While malware delivery via cloud apps is increasing in healthcare, healthcare has the smallest percentage of malware downloads from the cloud compared to other industries represented in the data. The low percentage of malware deliveries via OneDrive compared to other sectors is most likely due to OneDrive being used more extensively in other sectors.
The Netskope Threat Labs Report is based on anonymized usage data collected by the Netskope Security Cloud platform and malware detections by Netskope’s Next Generation Secure Web Gateway (NG-SWG), with the data for the report collected between March 1, 2023, and February 27, 2024. The most common malware families used in attacks on healthcare organizations were the remote access Trojan NjRat, the botnet Amaday, and the Infostealer Azorult. NjRat allows threat actors to log keystrokes, steal credentials from browsers, access the victim’s camera, and manage files. Amadey botnet malware can receive tasks to be executed by the botnet and collects information from infected computers and sends it to the C2 server. Azorult is an information stealer that primarily is used to steal credentials.
With usage of cloud apps rising, threat actors are increasingly using cloud apps for malware delivery. Netskope recommends that healthcare organizations should review their security posture to ensure they are adequately protected against malware delivery via cloud apps, and should ensure they are inspecting all HTTP and HTTPS downloads and web and cloud traffic, subjecting executable file types to extensive static and dynamic analysis before downloading, blocking downloads from apps and instances that are not used by the organization, using an intrusion prevention system that can identify and block malicious traffic patterns, and should consider using remote browser isolation technology when websites need to be visited that carry a higher risk of malware infections, such as newly created and newly registered websites.
Get The FREE
HIPAA Compliance Checklist
Immediate Delivery of Checklist Link To Your Email Address
Please Enter Correct Email Address
Your Privacy Respected
HIPAA Journal Privacy Policy
