Malicious actors are using creative means to serve malware payloads via Microsoft Azure, according to a Tuesday report from security firm Netskope. These payloads are infecting targets in the security-conscious healthcare sector, as IT administrators implicitly trust the IP address blocks used by Azure for services used by their organization, or through products supplied by a third-party vendor which utilizes Azure, the report found.
Consider the following scenario: A user downloads a file hosted on Azure, and shares it to other employees by uploading it to (any arbitrary) cloud-based file storage service. Though Microsoft offers a free anti-malware service for Azure, this must be enabled by the user. Naturally, if an Azure user is using the platform to propagate malware, they will have disabled this service.
SEE: Research: The current state and predictions for the future of blockchain in the enterprise (Tech Pro Research)
The malware identified by Netskope, which it calls “Capitalinstall” and installs the “Linkury” adware package, is presently being hosted on Azure, with a link to the malware provided in the report. (It is unclear if Netskope contacted Microsoft about the existence of this malware being hosted on Azure.)
A customer of Netskope had several machines infected with CapitalInstall, which originated from a website that claims to provide keys or licenses for popular software. The strain identified purports to be a crack for Adobe Creative Cloud. Oddly, the payload is an executable file packaged inside an ISO file, which Netskope notes is “uncommon for traditional Adware related families.”
From there, the victim is then presented with page directing them to install a myriad of browser add-ons, cryptocurrency miners, and other software.
How do I prevent this problem in my organization?
The easiest and obvious step to avoid this malware is to educate users against downloading software license cracks from the obviously shady websites that offer such solutions. Second, inherent trust of cloud service providers is unwise, as like any other part of the public internet, any arbitrary user can upload anything to cloud file storage services. Likewise, having access controls preventing end users from installing software on corporate workstations, or using anti-malware software, are effective steps to limiting the potential damage from these infections.
The big takeaways for tech leaders:
- Malicious actors are using creative means to serve malware payloads via Microsoft Azure.
- Inherent trust of cloud service providers is unwise, as like any other part of the public internet, any arbitrary user can upload anything to cloud file storage services.