Netskope Threat Labs has published its latest research report, focused on cyber threats delivered through cloud applications used in work environments in the insurance sector, and revealing that GitHub was the most popular cloud app abused to deliver malware. The report also identified a continued increase in cloud app adoption in the insurance sector, and analysed the top malware families that are seen to be targeting it.
Key findings include:
- Cloud app adoption:
- Employees in the insurance sector regularly interact with an average of 24 different cloud apps each month. Among these, Microsoft tools such as OneDrive, Teams, SharePoint, and Copilot are highly favoured. These specific apps were not only the most used, but also cover a big variety of functionalities such as storage, email, and messaging.
- While Microsoft Teams, OneDrive, and SharePoint are all widely used across various other industries, the insurance industry stands out for the fact that Microsoft apps dominate all of the top six spots.
- Cloud apps abused for malware delivery
- Among insurance companies, the three cloud apps that provide entry for the most malware downloads were GitHub, OneDrive, and SharePoint.
- GitHub had almost twice as many malware downloads in the insurance industry, compared to other industries.
- Top malware families:
- The top five malware and ransomware families targeting users in insurance in the last 12 months are: Backdoor. Zusy; Downloader.BanLoad; Infostealer.AgentTesla; Trojan.Grandoreiro; and Phishing.PhishingX.
Speaking on the findings, Paolo Passeri, Cyber Intelligence Principal at Netskope said: “GitHub’s role as the most exploited cloud app in the insurance sector is notable, given its growing misuse by threat actors for supply chain attacks. Attackers increasingly create malicious projects or packages, using typosquatting to mimic legitimate content and deceive their victims, and host them on GitHub. In some cases, attackers even compromise genuine projects, posing a serious threat if a fintech package is infected with malware.
These attacks can target multiple organisations at once, maximising the attackers’ return on investment with minimal effort, which explains their rising popularity. As GitHub gains traction both among organisations and cybercriminals, it’s poised to replace cloud platforms more traditionally targeted by threat actors, like Microsoft OneDrive, and impact other industries as well.”
Netskope Threat Labs recommends organisations in the insurance sector review their security posture to ensure that they are adequately protected against these trends:
- Inspect all HTTP and HTTPS downloads, including all web and cloud traffic, to prevent malware from infiltrating your network.
- Ensure that high-risk file types, like executables and archives, are thoroughly inspected using a combination of static and dynamic analysis before being downloaded. Configure policies to block downloads from apps and instances that are not used in your organisation to reduce your risk surface to only those apps and instances that are necessary for the business.
- Configure policies to block uploads to apps and instances that are not used in your organisation to reduce the risk of accidental or deliberate data exposure from insiders or abuse by attackers.
- Use an Intrusion Prevention System that can identify and block malicious traffic patterns, such as command and control traffic associated with popular malware. Blocking this type of communication can prevent further damage by limiting the attacker’s ability to perform additional actions.
- Use Remote Browser Isolation technology to provide additional protection when there is a need to visit websites that fall into categories that can present higher risk, like newly observed and newly registered domains.