Netskope Threat Labs Report Reveals GitHub as Leading Cloud App Abused for Malware in Insurance Sector
Netskope Threat Labs has published its latest research, focusing on cyber threats delivered through cloud applications commonly used in the insurance sector. The report highlights that GitHub has become the most frequently abused cloud platform for delivering malware in this industry. The study also tracks a continued rise in the use of cloud apps within insurance companies and identifies the leading malware families targeting this sector.
Key Findings: Cloud App Usage in Insurance
The report reveals that employees in the insurance industry regularly engage with an average of 24 different cloud apps each month. Of these, Microsoft tools—including OneDrive, Teams, SharePoint, and Copilot—are the most popular, covering functionalities such as storage, email, and messaging. In fact, Microsoft apps dominate the top six most-used cloud applications in this sector, highlighting their critical role in day-to-day operations.
Cloud Apps Exploited for Malware Delivery
The study points out that GitHub, OneDrive, and SharePoint are the top three cloud platforms exploited for malware downloads in the insurance industry. Among these, GitHub leads, with nearly double the number of malware downloads compared to other industries. This finding underscores GitHub’s increasing misuse by cybercriminals.
Top Malware Families Targeting Insurance Companies
The top five malware and ransomware families observed targeting insurance companies over the past 12 months include:
- Backdoor.Zusy (also known as TinyBanker)
- Downloader.BanLoad
- Infostealer.AgentTesla
- Trojan.Grandoreiro
- Phishing.PhishingX
Expert Insights on GitHub’s Role in Cyber Attacks
Paolo Passeri, Cyber Intelligence Principal at Netskope, commented on the findings:
“GitHub’s growing exploitation as a cloud app for malware in the insurance sector is significant. Threat actors are increasingly using GitHub for supply chain attacks by creating malicious projects or packages, often mimicking legitimate content through typosquatting. In some cases, they even compromise legitimate projects, posing severe risks, especially if a fintech package is infected with malware. This method allows attackers to target multiple organizations simultaneously, maximizing their impact with minimal effort.”
Passeri further noted that as GitHub becomes more widely used by both legitimate users and cybercriminals, it may soon surpass traditional cloud platforms like Microsoft OneDrive as the most targeted by attackers, potentially impacting other industries as well.
Security Recommendations for the Insurance Sector
In response to these trends, Netskope Threat Labs recommends that insurance organizations review their security measures to ensure robust protection against these emerging threats. Key recommendations include:
- Inspect all HTTP and HTTPS traffic, including web and cloud downloads, to prevent malware infiltration.
- Thoroughly inspect high-risk file types, like executables and archives, using both static and dynamic analysis before allowing downloads.
- Block downloads and uploads from non-essential apps to minimize the risk of malware and data exposure.
- Deploy an Intrusion Prevention System (IPS) to detect and block malicious traffic, such as command and control communications associated with malware.
- Use Remote Browser Isolation (RBI) technology to provide extra protection when accessing higher-risk websites, particularly newly registered or observed domains.
For the full report, visit Netskope’s website.
