Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Malware & Threats

Cerber Ransomware Used in Massive Attack Targeting Office 365 Users

Over the past months, ransomware has become a widespread cyber-threat aimed at enterprises and consumers alike, and a recent massive attack against Office 365 users proves that once again.

Over the past months, ransomware has become a widespread cyber-threat aimed at enterprises and consumers alike, and a recent massive attack against Office 365 users proves that once again.

The attack started on June 22 and lasted for more than 24 hours, a recent report from cloud-security firm Avanan reveals. Focused on securing Office 365, Box, Salesforce, Amazon AWS, and other cloud applications, the security firm says that this massive attack was targeting its customers that were using Office 365.

According to Avanan’s Steven Toole, the attackers were using the Cerber ransomware to infect victim’s computers, and millions of Office 365 business users were likely affected. Like many other ransomware families out there, Cerber encrypts user’s files (such as photos, videos, documents, and other file types) and demands a ransom to be paid to restore the affected files.

Cerber is spread as a malicious document attached to spam emails and uses various social engineering techniques to trick users into enabling macros in Office to allow the malicious code to run. This attack method isn’t employed by Cerber alone, though the ransomware does have its unique feature: after encryption, it plays an audio file to inform its victim of the infection. It displays a written ransom note as well.

The security firm claims that around 57 percent of organizations using Office 365 “received at least one copy of the malware into one of their corporate mailboxes” during the attack. Nevertheless, they also note that it is rather difficult to measure how many users were actually infected. The company also explains that Microsoft was able to block the malicious attachment one day after the attack started.

The Cerber ransomware was spotted for the first time back in March, and has received a series of updates to expand its functionality. The threat was observed in campaigns mainly targeting the United States, Turkey, and the United Kingdom. Additionally, it appeared to be leveraged in DDoS attacks in May, and was seen morphing every 15 seconds earlier this month, in an attempt to avoid detection.

Avanan says that the newly observed attack employed a variation of the Cerber variant observed in March, but didn’t provide additional details on it. However, the security firm did say that the ransomware “was widely distributed after its originator was apparently able to easily confirm that the virus was able to bypass the Office 365 built-in security tools through a private Office 365 mail account.”

The security company also notes that traditional antiviruses/anti-malware applications were not able to detect this attack because it targeted cloud email program users. As part of this attack, Cerber used AES-265 and RSA encryption, which is currently unbreakable, and demanded a 1.24 Bitcoin ransom from its victims.

Advertisement. Scroll to continue reading.

“Many users of cloud email programs believe they ‘outsourced’ everything to Microsoft or Google, including security,” explains Gil Friedrich, CEO of Avanan. “The reality is that hackers first make sure their malware bypasses major cloud email providers’ security measures, and so most new malware goes through cloud email programs undetected.”

Related: Ransomware Gang Made $50,000 in Weeks

Related: MIRCOP Ransomware Claims to Be Victim, Demands Payback

Written By

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.

Register

SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.

Register

Expert Insights

Related Content

Cybercrime

The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.

Cybercrime

A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Malware & Threats

The NSA and FBI warn that a Chinese state-sponsored APT called BlackTech is hacking into network edge devices and using firmware implants to silently...

Application Security

Virtualization technology giant VMware on Tuesday shipped urgent updates to fix a trio of security problems in multiple software products, including a virtual machine...

Cyberwarfare

An engineer recruited by intelligence services reportedly used a water pump to deliver Stuxnet, which reportedly cost $1-2 billion to develop.

Malware & Threats

Unpatched and unprotected VMware ESXi servers worldwide have been targeted in a ransomware attack exploiting a vulnerability patched in 2021.

Malware & Threats

Apple’s cat-and-mouse struggles with zero-day exploits on its flagship iOS platform is showing no signs of slowing down.

Cybercrime

No one combatting cybercrime knows everything, but everyone in the battle has some intelligence to contribute to the larger knowledge base.