Another monthly Netskope Threat Labs report. This edition is dedicated to healthcare. A public version of the same report is available here.
This report examines the cloud adoption and threat trends affecting organizations in the healthcare sector over the past 12 months, highlighting attackers consistently using social engineering to target users with Trojans via popular cloud apps.
Â
In This Report
Â
Cloud App Adoption: Although Microsoft OneDrive is the most popular app in the healthcare sector, its popularity lags behind that of other industries. The popularity of other Microsoft products was mixed, with SharePoint similarly lagging other industries but Teams leading other industries.
Cloud App Abuse: Microsoft OneDrive was also the most popular app for malware downloads but lagged behind other industries, underscoring that successful malware delivery depends on both adversary tactics and user behavior.
Malware & Ransomware: Among the most prevalent malware families targeting victims in healthcare were the remote access Trojan NjRat, the botnet Amaday, and the infostealer Azorult.
Â
Cloud App Adoption
Â
The average user in the healthcare sector interacts with an average of 22 cloud apps per month. The top 1% of users interacted with 94 apps per month, the highest number of all industries.
Â
Users in the healthcare sector downloaded data from cloud apps at almost the same rate as other industries, with 96% of users downloading data from cloud apps in the healthcare sector versus 94% in other industries. On the other hand, users in healthcare uploaded data at a much lower rate compared to other industries, with 55% of healthcare users uploading data while other industries averaged 68%.
Most Popular Cloud Apps
The top 10 most popular cloud apps in the healthcare sector mirror other industries. Microsoft OneDrive, the most popular app in most industries, led all other apps, but with a much smaller percentage of users than other industries. Only 42% of users in healthcare use Microsoft OneDrive per day, compared to 52% in other industries. Microsoft SharePoint use similarly lagged other industries, but only by 6 points. On the other hand, Microsoft Teams stood out for the opposite reason. Its use in healthcare led other industries by 5 points.
Top Apps Used for Uploads
As expected, with Microsoft OneDrive being the most popular app by a large margin, it is also the app most used for uploading data, with 15% of healthcare users uploading data to OneDrive daily, although similarly lagging behind other industries where OneDrive is more popular.
Top Apps Used for Downloads
Â
Cloud App Abuse
Cloud Malware Delivery
Over the past year, the percentage of malware downloads from cloud apps has decreased gradually from its peak a year ago, hovering around 50%, with approximately half of all malware downloads over HTTP and HTTPS coming from popular cloud apps and the other half coming from regular websites. Throughout this time, the healthcare sector lagged behind other industries but with a narrowing gap. Today, approximately 40% of all malware downloads in the healthcare industry originate from cloud apps, compared to just about 30% a year ago.The abuse of cloud apps allows the malware to fly under the radar and evade regular security controls that rely on tools such as domain block lists or that do not inspect cloud traffic.
Compared to six other industries averaged over the past year, the healthcare sector has the smallest percentage of malware downloads from the cloud.
Cloud Apps Abused for Malware Delivery
A recurring theme throughout this report is that Microsoft OneDrive is the most popular app in the healthcare sector, but its popularity lags behind other industries. In the case of malware delivery, this is no different. The healthcare sector saw more malware downloads originating from OneDrive than from any other cloud app, but at a rate 11 points lower than other industries. Similarly, Microsoft SharePoint is less popular in the healthcare sector and also saw fewer malware downloads than in other sectors. All other apps in the top ten were slightly higher in healthcare compared to other industries.
The fact that both the overall popularity of OneDrive and the incidence of malware downloads from OneDrive were lower in the healthcare sector underscores a critical relationship between these two phenomena. Adversaries abuse Microsoft OneDrive because it is the most popular cloud storage app. Meanwhile, people who regularly use Microsoft OneDrive are more likely to click on links to download files shared with them on that platform. Therefore, the number of malware downloads that Netskope detects and blocks from Microsoft OneDrive is both a reflection of adversary tactics (abusing OneDrive to distribute malware) and victim behavior (their likelihood to click on the links and download the malware).
Â
Top Malware & Ransomware Families
Â
This list contains the top 10 malware and ransomware families detected by Netskope targeting users in the healthcare sector in the last 12 months:
- Backdoor.Zusy (a.k.a. TinyBanker) is a banking Trojan based on the source code of Zeus, aiming to steal personal information via code injection into websites.
- Botnet.Amadey is a botnet that appeared around October 2018 and has been sold in Russian-speaking hacking forums. The malware can collect information from infected computers and send them to the C2 server. It can also receive tasks to be executed by the botnet.
- Botnet.Mirai is one of the most famous botnets targeting exposed networking devices running Linux. Discovered in 2016, this malware has been targeting a wide range of devices such as routers, cameras, and other IoT devices. Since its source code leak, the number of variants of this malware has increased considerably.
- Infostealer.Azorult (a.k.a. PuffStealer) is a malware that aims to steal sensitive information such as account passwords.
- Phishing.PhishingX is a malicious PDF file used as part of a phishing campaign to redirect victims to a phishing page.
- RAT.ComRAT is a second-stage implant used by the Turla threat group. The first version of ComRAT was identified in 2007. The malware can send information to the attacker and receive commands to be executed.
- RAT.NetWiredRC (a.k.a. NetWire RC) is a malware associated with APT33, aimed at providing remote access and stealing sensitive information, like passwords.
- RAT.NjRAT (a.k.a. Bladabindi) is a remote access trojan with many capabilities, including logging keystrokes, stealing credentials from browsers, accessing the victim’s camera, and managing files.
- Trojan.Ursnif (a.k.a. Gozi) is a banking Trojan and backdoor, whose source code was leaked on GitHub in 2005, allowing attackers to create and distribute many variants.
- Trojan.Valyria (a.k.a. POWERSTATS) is a family of malicious Microsoft Office documents that contain embedded malicious VBScripts, usually to deliver other malicious payloads.
Â
Recommendations
Â
This report highlighted increasing cloud adoption, including increased data uploaded to and downloaded from various cloud apps. It also highlighted an increasing trend of attackers abusing various cloud apps, especially popular enterprise apps, to deliver malware (mostly Trojans) to their victims. Netskope Threat Labs recommends organizations in the healthcare sector review their security posture to ensure that they are adequately protected against these trends:
- Inspect all HTTP and HTTPS downloads, including all web and cloud traffic, to prevent malware from infiltrating your network. Netskope customers can configure their Netskope NG-SWG with a Threat Protection policy that applies to downloads from all categories and applies to all file types.
- Ensure that high-risk file types like executables and archives are thoroughly inspected using a combination of static and dynamic analysis before being downloaded. Netskope Advanced Threat Protection customers can use a Patient Zero Prevention Policy to hold downloads until they have been fully inspected.
- Configure policies to block downloads from apps and instances that are not used in your organization to reduce your risk surface to only those apps and instances that are necessary for the business.
- Configure policies to block uploads to apps and instances that are not used in your organization to reduce the risk of accidental or deliberate data exposure from insiders or abuse by attackers.
- Use an Intrusion Prevention System (IPS) that can identify and block malicious traffic patterns, such as command and control traffic associated with popular malware. Blocking this type of communication can prevent further damage by limiting the attacker’s ability to perform additional actions.
- Use Remote Browser Isolation (RBI) technology to provide additional protection when there is a need to visit websites that fall into categories that can present higher risk, like newly observed and newly registered domains.
Â
Netskope Threat Labs
Â
Staffed by the industry’s foremost cloud threat and malware researchers, Netskope Threat Labs discovers, analyzes, and designs defenses against the latest cloud threats affecting enterprises. Our researchers are regular presenters and volunteers at top security conferences, including DefCon, BlackHat, and RSA.
Â
About This Report
Â
Netskope provides threat protection to millions of users worldwide. Information presented in this report is based on anonymized usage data collected by the Netskope Security Cloud platform relating to a subset of Netskope customers with prior authorization.
This report contains information about detections raised by Netskope’s Next Generation Secure Web Gateway (NG-SWG), not considering the significance of the impact of each individual threat. Stats in this report are based on the period starting March 1, 2023 through February 27, 2024. Stats are a reflection of attacker tactics, user behavior, and organization policy.