Weaponising trust: when cyber criminals abuse the business cloud applications we all think are safe

The financial services industry is one of the most heavily regulated in Australia, when it comes to cybersecurity and safety requirements.

As a critical infrastructure, they fall under the SOCI Act that requires the registration of critical infrastructure assets, timely reporting of cyber incidents, and the creation a solid risk management program.

The Prudential Standard CPS 234 brings additional requirements for banks and insurance and superannuation companies, and the Anti-Money Laundering and Counter-Terrorism Financial Act enforced the implementation of additional security measures early on, such as collecting know your customer (KYC) information.

Despite this tight regulatory environment, the industry is not being spared cyber incidents and major data breaches.

At least two incidents that occurred in Australia in the last 18 months should be on every finance professional’s mind and are perfect examples that tight regulations do not shield organisations from human error and complacency.

In recent years, new cyber risks have tested organisational resilience to human error. Some have triggered major cyber incidents and statistics show financial services is among the most heavily targeted industries. What is this newer threat?

Abusing our trust in the cloud

Because we have been using them every day for years, we have developed a high level of natural trust towards them. And yet, they could be the source of major cyber incidents.

“They” are the business cloud applications we have become reliant on to improve and optimise operations in all compartments of our organisations.

A recent report published by Netskope Threat Labs illustrates the extent of this reliance on the cloud within financial organisations: employees in the sector use an average of 23 sanctioned cloud applications per month, the highest average of all researched industries in the report.

As cloud adoption has accelerated, cybercriminals who used to deliver malware mainly via email or web sources saw a new Eldorado for malware delivery in cloud environments.

Once again, the proof is in the numbers. More than half (58 per cent) of malware delivered to workers in financial services in the 12 months to January 2024 was delivered via cloud applications, ranking the sector second only to telcos as the most cloud-targeted industry.

And the most targeted apps are also some of the most popular (and trusted), with OneDrive, Sharepoint, Outlook, and Google Drive all in the top five of the most abused applications for malware delivery.

A single successful malware can have disastrous consequences, leading to stolen employee credentials and allowing cybercriminals to launch various attack patterns such as ransomware or spy on their targets by remaining undetected or injecting spyware in their system.

Attackers can also leverage technical vulnerabilities and weak points in cloud infrastructures, compromise a cloud vendor or discover unsecured cloud sources.

Some are going to the lengths of creating fake cloud applications disguised as legitimate business tools that allow users to sign up with single sign-on, using their Microsoft or Google account credentials, essentially creating a doorway to the organisation’s systems.

The advent of large language models (LLMs) and the democratisation of AI among cyber gangs is also helping threat actors to drastically increase the scale and reach of those tactics and boost the efficiency of their social engineering campaigns with audio or video-generated deepfakes that have never been easier to create.

In a few years, cybercriminals have managed to weaponise our inherent trust in these cloud applications.

Organisations now face the challenge of securing extensive cloud environments, with the largest involving tens of thousands of applications.

Mitigating cloud risks

Cloud adoption is unlikely to recede in financial services, both at a user level, but also at the underlying foundations of the whole ecosystem.

Integrations between various financial systems, whether banking, payment, accounting or brokering are always accelerating, driven by the goal to provide modern financial services to end users.

This makes the whole environment an increasingly complex one to secure. Those integrations are creating a huge ecosystem that increases the potential damage if a single point of entry is compromised by the wrong people.

Therefore, organisations have to look at ways to secure this environment and, for security, to scale as their cloud environment does. Here’s a few ways of doing so:

• Create strong monitoring and threat detection capabilities for cloud environments, ideally with the possibility to create tailored policies
• Consider blocking web sources or cloud applications that are not necessary for employees to do their work or do not have any productivity benefits.
• Continue to educate employees about the different shapes and forms phishing and malware can take, including dodgy web sources or files (pdf, zip, rar, etc.).
• Build capabilities to detect web and cloud traffic on the network that looks dubious.
• Consider security that allows for safe exceptions to allow employees to access riskier websites or cloud applications if this is really necessary for their work.
• When considering integrations, ensure that APIs are secure and vet all external stakeholders that may have direct or indirect access to the organisation’s systems.