Security Experts:

Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Malware & Threats

Cerber Ransomware Used in Massive Attack Targeting Office 365 Users

Over the past months, ransomware has become a widespread cyber-threat aimed at enterprises and consumers alike, and a recent massive attack against Office 365 users proves that once again.

Over the past months, ransomware has become a widespread cyber-threat aimed at enterprises and consumers alike, and a recent massive attack against Office 365 users proves that once again.

The attack started on June 22 and lasted for more than 24 hours, a recent report from cloud-security firm Avanan reveals. Focused on securing Office 365, Box, Salesforce, Amazon AWS, and other cloud applications, the security firm says that this massive attack was targeting its customers that were using Office 365.

According to Avanan’s Steven Toole, the attackers were using the Cerber ransomware to infect victim’s computers, and millions of Office 365 business users were likely affected. Like many other ransomware families out there, Cerber encrypts user’s files (such as photos, videos, documents, and other file types) and demands a ransom to be paid to restore the affected files.

Cerber is spread as a malicious document attached to spam emails and uses various social engineering techniques to trick users into enabling macros in Office to allow the malicious code to run. This attack method isn’t employed by Cerber alone, though the ransomware does have its unique feature: after encryption, it plays an audio file to inform its victim of the infection. It displays a written ransom note as well.

The security firm claims that around 57 percent of organizations using Office 365 “received at least one copy of the malware into one of their corporate mailboxes” during the attack. Nevertheless, they also note that it is rather difficult to measure how many users were actually infected. The company also explains that Microsoft was able to block the malicious attachment one day after the attack started.

The Cerber ransomware was spotted for the first time back in March, and has received a series of updates to expand its functionality. The threat was observed in campaigns mainly targeting the United States, Turkey, and the United Kingdom. Additionally, it appeared to be leveraged in DDoS attacks in May, and was seen morphing every 15 seconds earlier this month, in an attempt to avoid detection.

Avanan says that the newly observed attack employed a variation of the Cerber variant observed in March, but didn’t provide additional details on it. However, the security firm did say that the ransomware “was widely distributed after its originator was apparently able to easily confirm that the virus was able to bypass the Office 365 built-in security tools through a private Office 365 mail account.”

The security company also notes that traditional antiviruses/anti-malware applications were not able to detect this attack because it targeted cloud email program users. As part of this attack, Cerber used AES-265 and RSA encryption, which is currently unbreakable, and demanded a 1.24 Bitcoin ransom from its victims.

“Many users of cloud email programs believe they ‘outsourced’ everything to Microsoft or Google, including security,” explains Gil Friedrich, CEO of Avanan. “The reality is that hackers first make sure their malware bypasses major cloud email providers’ security measures, and so most new malware goes through cloud email programs undetected.”

Related: Ransomware Gang Made $50,000 in Weeks

Related: MIRCOP Ransomware Claims to Be Victim, Demands Payback

Written By

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Expert Insights

Related Content

Malware & Threats

Microsoft plans to improve the protection of Office users by blocking XLL add-ins from the internet.

Cybercrime

A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Cybercrime

CISA, NSA, and MS-ISAC issued an alert on the malicious use of RMM software to steal money from bank accounts.

Cyberwarfare

Russia-linked cyberespionage group APT29 has been observed using embassy-themed lures and the GraphicalNeutrino malware in recent attacks.

Cybercrime

No one combatting cybercrime knows everything, but everyone in the battle has some intelligence to contribute to the larger knowledge base.

Cybercrime

The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.

Malware & Threats

Security researchers are warning of a new wave of malicious NPM and PyPI packages designed to steal user information and download additional payloads.

Cybercrime

Chinese threat actor DragonSpark has been using the SparkRAT open source backdoor in attacks targeting East Asian organizations.