Netskope reports increase in AI usage in corporate spheres

06 September 2024

Netskope Threat Labs’ latest research report, which focuses on cloud app threats in the manufacturing sector, highlights an increase in AI usage within corporate environments, and an increasing diversity in the methodologies of attackers targeting the sector.

When compared with the 2023 manufacturing report, in 2024, the popularity of Microsoft OneDrive in the manufacturing sector grew from 43% to 58%, however, its impact in terms of malware distribution decreased to 22% from 34%. While the top three cloud applications for malware downloads remained the same, the malicious exploitation of GitHub doubled in 2024, compared to 2023.

Enterprise users in manufacturing regularly interact with an average of 24 cloud apps each month, with OneDrive leading in popularity. With a global increase of AI usage in corporate environments, Microsoft Copilot is now in the manufacturing top 10 apps. The manufacturing industry uses a significant number of apps which serve both personal and corporate purposes (such as Google Drive) , underscoring the importance of having identity-based policies to ensure the safe handling of sensitive data between environments.

Approximately one-half of all global HTTP/HTTPS malware downloads originate from popular cloud apps, with the other half originating from different locations on the web. The most popular apps around the world are also among the top apps in terms of the number of malware downloads, reflecting adversary tactics, user behavior, and organizational policy. In manufacturing, OneDrive is the top app being abused for malware delivery (22%), with twice as much abuse than the second and third place of Sharepoint (10%) and GitHub (10%) combined.

The top five malware and ransomware families targeting users in manufacturing in the last 12 months are Downloader.Guloader; Infostealer.AgentTesla; Phishing.PhishingX; Trojan.Grandoreiro; and Trojan.RaspberryRobin.

“What really caught my eye in this report is the fact that threat actors are diversifying the kind of payload they are delivering to organizations in manufacturing,” said Paolo Passeri, Cyber Intelligence Principal at Netskope. “Rather than focusing on specific categories of malware, they prefer to deliver flexible downloaders or remote access tools (GuLoader, AgentTesla, and RaspberryRobin), which can then distribute multiple kinds of payloads depending on the attackers' objectives. With today’s sophisticated attack methodologies, malware can be delivered in various forms - whether it be a PDF file, banking Trojan, or infostealers - making them so hard for users to detect. Businesses will need to implement strict policies that ensure the safe handling of sensitive data, and regularly monitor cloud traffic for malicious behaviour.