Netskope Threat Labs: GitHub Tops List of Cloud App Abused for Malware Delivery in the Insurance Sector 

 Netskope Threat Labs has today published its latest research report, focused on cyber threats delivered through cloud applications used in work environments in the insurance sector, and revealing that GitHub was the most popular cloud app abused to deliver malware. The report also identified a continued increase in cloud app adoption in the insurance sector, and analysed the top malware families that are seen to be targeting it. 

Cloud App Adoption

Cloud apps are ubiquitous in the enterprise, with the average user interacting with 24 different cloud apps every month. The top six apps make it clear the big preference for Microsoft apps in the Insurance industry. These specific apps were not only the most used, but also cover a big variety of functionalities such as storage, email, and messaging.

Apps like Microsoft Teams, OneDrive, and SharePoint are common in most industries, but Insurance stands out with Microsoft apps dominating the top six.

With so many cloud apps in use, especially the combinations of enterprise and personal apps, it underscores the importance of organizations in Insurance having policies to ensure the safe handling of sensitive data.

Cloud Apps Abused for Malware Delivery

Because adversaries deliver malware through many different channels, organizations in Insurance must ensure that they have security controls to block malware downloads over the most popular apps. Approximately half of all global HTTP/HTTPS malware downloads originate from popular cloud apps, with the other half originating from different locations on the web. This section highlights the apps with the most malware downloads that were blocked by Netskope over the past year.

The most popular apps around the world are also among the top apps in terms of the number of malware downloads, reflecting adversary tactics (adversaries tend to abuse top apps because of their popularity), user behavior (users interact with popular apps more frequently), and organizational policy (organizations tend to allow popular apps). The top two apps with the most malware downloads, GitHub and OneDrive, have very similar numbers in terms of malware downloads.

Top Malware Families

This list contains the top five malware and ransomware families detected by Netskope targeting users in Insurance over the last 12 months:

• Backdoor.Zusy (a.k.a. TinyBanker) is a banking Trojan based on the source code of Zeus, aiming to steal personal information via code injection into websites.
• Downloader.BanLoad is a Java-based downloader widely used to deliver a variety of malware payloads, especially banking Trojans.
• Infostealer.AgentTesla is a .NET-based RAT with many capabilities, such as stealing browsers’ passwords, capturing keystrokes, clipboard, etc.
• Trojan.Grandoreiro is a LATAM banking trojan with the goal of stealing sensitive banking information, commonly targeting Brazil, Mexico, Spain, and Peru.
• Phishing.PhishingX is a malicious PDF file used as part of a phishing campaign to redirect victims to a phishing page.

Key findings include:

• Cloud app adoption:
  • Employees in the insurance sector regularly interact with an average of 24 different cloud apps each month. Among these, Microsoft tools such as OneDrive, Teams, SharePoint, and Copilot are highly favoured. These specific apps were not only the most used, but also cover a big variety of functionalities such as storage, email, and messaging.
  • While Microsoft Teams, OneDrive, and SharePoint are all widely used across various other industries, the insurance industry stands out for the fact that  Microsoft apps dominate all of the top six spots.
• Cloud apps abused for malware delivery
  • Among insurance companies, the three cloud apps that provide entry for the most malware downloads were GitHub, OneDrive, and SharePoint.
  • GitHub had almost twice as many malware downloads in the insurance industry, compared to other industries. 
• Top malware families:
  • The top five malware and ransomware families targeting users in insurance in the last 12 months are: Backdoor.Zusy (a.k.a TinyBanker); Downloader.BanLoad; Infostealer.AgentTesla; Trojan.Grandoreiro; and Phishing.PhishingX.

Speaking on the findings, Paolo Passeri, Cyber Intelligence Principal at Netskope said:

“GitHub’s role as the most exploited cloud app in the insurance sector is notable, given its growing misuse by threat actors for supply chain attacks. Attackers increasingly create malicious projects or packages, using typosquatting to mimic legitimate content and deceive their victims, and host them on GitHub. In some cases, attackers even compromise genuine projects, posing a serious threat if a fintech package is infected with malware. 

These attacks can target multiple organisations at once, maximising the attackers’ return on investment with minimal effort, which explains their rising popularity. As GitHub gains traction both among organisations and cybercriminals, it’s poised to replace cloud platforms more traditionally targeted by threat actors, like Microsoft OneDrive, and impact other industries as well.”

Netskope Threat Labs recommends organisations in the insurance sector review their security posture to ensure that they are adequately protected against these trends:

• Inspect all HTTP and HTTPS downloads, including all web and cloud traffic, to prevent malware from infiltrating your network. 
• Ensure that high-risk file types, like executables and archives, are thoroughly inspected using a combination of static and dynamic analysis before being downloaded. Configure policies to block downloads from apps and instances that are not used in your organisation to reduce your risk surface to only those apps and instances that are necessary for the business.
• Configure policies to block uploads to apps and instances that are not used in your organisation to reduce the risk of accidental or deliberate data exposure from insiders or abuse by attackers.
• Use an Intrusion Prevention System (IPS) that can identify and block malicious traffic patterns, such as command and control traffic associated with popular malware. Blocking this type of communication can prevent further damage by limiting the attacker’s ability to perform additional actions.
• Use Remote Browser Isolation (RBI) technology to provide additional protection when there is a need to visit websites that fall into categories that can present higher risk, like newly observed and newly registered domains.

For the full report, please visit here.