Security Experts:

With the 'Great Resignation' Comes the 'Great Exfiltration'

Research shows the “Great Resignation” phenomenon is accompanied by a “Great Exfiltration” as people leave their jobs and take company data with them

As business has moved to the cloud, so has crime. Cloud apps are now the primary source of malware downloads. In 2020, 46% of malware came from the cloud. This rose to 66% in Q4 2021 (peaking at 73% during the year).

The reason is simple – it is cheap and easy to host malware in cloud apps, and users have an inherent trust in well-known names like Google Drive, Microsoft OneDrive and Box. The criminal simply opens an account, uploads a malicious document to the account, and then uses social engineering and phishing techniques to persuade potential victims to download the document.

In its Cloud and Threat Report, January 2022 (PDF download), Netskope notes that Google Drive has replaced OneDrive as the primary source for malware hosting. There is no apparent reason for this change beyond the cyclical nature of criminal behavior. “We don’t yet know which cloud app will prove most popular in 2022,” Ray Canzanese, Netskope’s threat research director told SecurityWeek, “but we can be almost certain it won’t still be Google Drive.” He noted that the number of cloud apps with malware downloads has increased from 91 to 230.

The figures come from the telemetry of a subset of users of the Netskope Cloud Security platform, which is used to protect millions of users around the world.  

[ READ: Is the 'Great Resignation' Impacting Cybersecurity? ]

Thirty-seven percent (up from 19%) of malware downloads are now associated with Microsoft Office documents. This began with the Emotet malspam campaign in Q2 2020 and copycat attackers have continued the growth for the last six quarters – with no sign of a slowdown.

Apart from malware downloads, cloud apps are also subject to a high number of credential stuffing attacks where criminals seek to access stored confidential data. The quantity of such attacks during 2021 has not varied significantly from 2020, but the sources have changed. In 2020, Thailand was the most popular geographic source for credential stuffing attacks at 18%. In 2021, Thailand was replaced by the U.S.A. (19%), with Thailand dropping to sixth position at just 3%. The reason may simply be indicative of an increasing number of compromised systems in the U.S.

Canzanese told SecurityWeek that the attacks themselves are largely unsophisticated, with the attackers simply testing out the most common passwords.

One side-effect discovery from the research is that the current Great Resignation (GR) phenomenon is accompanied by a Great Exfiltration process. Whatever the precise reason for the GR – whether it’s a work/life revaluation allowed by lockdown timeouts, or the realization of many more opportunities resulting from the growth in remote working – its reality remains. More people are leaving their jobs and moving on.

“In 2021, attrition doubled,” says the report, “with 8% of employees leaving their jobs, compared to 4% in 2020.” It’s a double whammy for business – not only are they losing staff, but the leavers are taking corporate data with them. In the final 30 days of employment, leavers have been downloading far more data than usual. During this period, 29% of leavers downloaded more data, and 15% uploaded more data to personal cloud apps. 

“Of the users who uploaded more files to personal apps in their final 30 days,” says the report, “half uploaded more than 5x their normal data volume, 8% uploaded more than 100x their usual data volume, and 1% uploaded more than 1000x their baseline,” This cannot be co-incidental, and indicates a significant and deliberate movement of company data into personal accounts prior to leaving the company.

“The increasing popularity of cloud apps has given rise to three types of abuse,” summarizes Canzanese: “attackers trying to gain access to victim cloud apps, attackers abusing cloud apps to deliver malware, and insiders using cloud apps for data exfiltration.” It is, he continued, “a reminder that the same apps that you use for legitimate purposes will be attacked and abused.”

Related: CISA Warns Organizations About Attacks on Cloud Services

Related: Email Attacks Using Cloud Services are Increasing

Related: Credential Stuffing Attacks Are Reaching DDoS Proportions

Related: Netskope Raises $300 Million at $7.5 Billion Valuation

view counter
Kevin Townsend is a Senior Contributor at SecurityWeek. He has been writing about high tech issues since before the birth of Microsoft. For the last 15 years he has specialized in information security; and has had many thousands of articles published in dozens of different magazines – from The Times and the Financial Times to current and long-gone computer magazines.