Over the past months, ransomware has become a widespread cyber-threat aimed at enterprises and consumers alike, and a recent massive attack against Office 365 users proves that once again.


By SecurityWeek News on June 28, 2016

The attack started on June 22 and lasted for more than 24 hours, a recent report from cloud-security firm Avanan reveals. Focused on securing Office 365, Box, Salesforce, Amazon AWS, and other cloud applications, the security firm says that this massive attack was targeting its customers that were using Office 365.

According to Avanan’s Steven Toole, the attackers were using the Cerber ransomware to infect victim’s computers, and millions of Office 365 business users were likely affected. Like many other ransomware families out there, Cerber encrypts user’s files (such as photos, videos, documents, and other file types) and demands a ransom to be paid to restore the affected files.

Cerber is spread as a malicious document attached to spam emails and uses various social engineering techniques to trick users into enabling macros in Office to allow the malicious code to run. This attack method isn’t employed by Cerber alone, though the ransomware does have its unique feature: after encryption, it plays an audio file to inform its victim of the infection. It displays a written ransom note as well.

The security firm claims that around 57 percent of organizations using Office 365 “received at least one copy of the malware into one of their corporate mailboxes” during the attack. Nevertheless, they also note that it is rather difficult to measure how many users were actually infected. The company also explains that Microsoft was able to block the malicious attachment one day after the attack started.

The Cerber ransomware was spotted for the first time back in March, and has received a series of updates to expand its functionality. The threat was observed in campaigns mainly targeting the United States, Turkey, and the United Kingdom. Additionally, it appeared to be leveraged in DDoS attacks in May, and was seen morphing every 15 seconds earlier this month, in an attempt to avoid detection.

Avanan says that the newly observed attack employed a variation of the Cerber variant observed in March, but didn’t provide additional details on it. However, the security firm did say that the ransomware “was widely distributed after its originator was apparently able to easily confirm that the virus was able to bypass the Office 365 built-in security tools through a private Office 365 mail account.”

The security company also notes that traditional antiviruses/anti-malware applications were not able to detect this attack because it targeted cloud email program users. As part of this attack, Cerber used AES-265 and RSA encryption, which is currently unbreakable, and demanded a 1.24 Bitcoin ransom from its victims.

“Many users of cloud email programs believe they 'outsourced' everything to Microsoft or Google, including security,” explains Gil Friedrich, CEO of Avanan. “The reality is that hackers first make sure their malware bypasses major cloud email providers' security measures, and so most new malware goes through cloud email programs undetected.”

Read the full article here.