Attackers are increasingly abusing cloud applications to deliver malware to telcos
Almost two-thirds (62%) of malware downloads in telecoms came from cloud apps compared to just over half (53%) in other industries. This comes at a time when telcos are increasingly moving workloads to the cloud. Abusing cloud apps for malware delivery enables attackers to evade security controls that rely primarily on domain block lists and URL filtering, or that do not inspect cloud traffic.
The findings were in the latest Threat Labs report from SASE firm Netskope. The average user in the telecom sector interacts with 24 different cloud apps per month, which is on par with other industries. The Microsoft apps OneDrive, Teams, SharePoint, and Outlook.com are all more popular in telecom, while the Google apps Drive and Gmail are all less popular.
OneDrive is the most popular app in the telecom industry by a large margin, with 54% of all telecom users accessing OneDrive each day, compared to 46% of users in other industries. Other Microsoft products including Teams, SharePoint, and Outlook.com are also more popular in the telecom industry.
This makes it both a useful app for attackers seeking to target a wide variety of organisations using the same app and makes it more likely that the malicious payloads would reach their targets.
In the past 12 months, Microsoft OneDrive was the most popular cloud app abused for malware downloads in the telecom sector, representing 29% of all cloud malware downloads, compared to 22% in other industries.
Other top apps for malware downloads include free software hosting sites (GitHub), collaboration apps (SharePoint), free web hosting services (Weebly, Squarespace), cloud storage apps (Azure Blob Storage, Google Drive, MediaFire), and webmail apps (Outlook.com, Google Gmail).
Wedded to Microsoft
Telecom also stood out for having more users downloading files from OneDrive and SharePoint than other industries. Of the cloud storage solutions provided by the big three IaaS cloud providers, Google Cloud Storage is more popular, Amazon S3 is as popular, and Azure Blob Storage is less popular compared to other industries.
The telecom sector tied the financial services industry for having the highest percentage of cloud malware downloads. The top apps with malware downloads are the cloud storage apps Microsoft OneDrive, Azure Blob Storage, Google Drive, and MediaFire.
Users in telecom downloaded data from cloud apps at a slightly higher rate than other industries, with 95% of users downloading data from cloud apps in telecom, compared to 93% in other industries. Telecom led other sectors by an even larger margin in uploads, with 74% of users uploading data monthly compared to 65% in other industries.
Top malware types
The most common malware type detected by Netskope in the telecom industry in the last 12 months were Trojans, which are commonly used by attackers to gain an initial foothold and deliver other types of malware, such as infostealers, remote access Trojans, backdoors, and ransomware. The second most common were file-based exploits.
Rounding out the top five are infostealers, backdoors, and downloaders. File-based exploits, backdoors, and downloaders were all much more common in the telecom industry compared to other industries.
CrowdStrike also sees telcos under attack
In its latest Threat Hunting Report, cybersecurity firm CrowdStrike said telecommunications was the third most targeted industry overall and the second most targeted industry by nation-state actors: technology (21%), telecommunications (17%), government (13%), financial (11%), and services (7%).
As telcos adopt more cloud-based technologies, adversaries are becoming more adept at exploiting misconfigurations and abusing cloud management tools. There’s been a 95% rise in cloud attacks and a 160% increase in credential theft via cloud instance metadata APIs.
Adversaries are doubling down on identity-based attacks; 62% of interactive intrusions involved the abuse of valid accounts, while there was a 160% increase in attempts to gather secret keys and other credentials via cloud instance metadata APIs.
Additionally alarming was a 583% increase in Kerberoasting attacks, yet another technique adversaries can abuse to obtain valid credentials for Active Directory service accounts – and telcos are big Microsoft users – often providing actors with higher privileges and allowing them to remain undetected in victim environments for longer periods of time.
Telecommunications was also the second most targeted industry for Linux-based interactive intrusion activity, with technology being first and academic being third.