A ransomware attack targeted millions of Office 365 users via a phishing campaign last week, underscoring the growing threat this kind of malware poses for enterprises.
The attack started on June 22 and lasted more than 24 hours, until Microsoft began blocking the malware, according to a report by Avanan, which provides security tools to protect Office 365, Box, Salesforce, Amazon AWS, and other cloud applications.
Cerber, the ransomware used in this attack, encrypts user files like photos, videos, and documents, and plays an audio file demanding a ransom to unlock them. It typically spreads via email attachment of a document booby-trapped with malicious macros. When users are tricked into enabling macros, the embedded code infects the PC.
Avanan couldn't say just how many users were actually infected in this attack, but said 57 percent of its customers using Office 365 had at least one user who received an email with the malicious file attachment. Customers using Check Point's SandBlast Zero-Day Protection were protected from the attack before Microsoft was able to take steps, the company said.
Users who received the attachment on June 22 or June 23 and downloaded it to their systems should delete the files right away, since if opened, it could still infect their machines. Users who received the attachment but had not yet opened it, would no longer be able to access the file since Microsoft has removed it.
Ransomware started out targeting individual users, but by shifting to enterprise platforms like Office 365, it targets a larger group of users working with even more valuable data. Microsoft's own statistics show that ransomware is still very small in the grand scheme of online threats, but it just takes a single infection via a corporate inbox to cripple an enterprise.
Cerber began making its rounds in March, and it has been updated several times since with newer functionality. Cerber initially spread through malvertising campaigns relying on the Flash zero-day exploits used by Magnituted and Nuclear exploit kits. In May, Cerber was observed in spam campaigns delivering Dridex. The latest version appears to be relying on polymorphism to rapidly generate new variants to avoid detection.
The latest attack used a version of the Cerber variant from March, but Avanan didn't provide any other details regarding its functionality. It appears the attackers monetized the March variant, and now that they are done, they'll move on to try again with a new mutation. Since the malware was first seen in February and March, it seems likely the adversaries are operating on a three month cycle, said Gil Friedrich, CEO of Avanan.
This particular Cerber attack began after the perpetrators confirmed the malware could bypass the Office 365 built-in security tools. Avanan claims the perpetrators tested the malware through a private Office 365 mail account.
“The core issue, though, is how easy it could be to create a variation of this attack that bypasses Microsoft again,” said Friedrich.
Many users believe that because they are using cloud email services, the security has also been outsourced, whether to Microsoft, Google, or another provider. The reality is that enterprises can't just rely on built-in security tools, since the attackers test to make sure the malware can bypass those security protections. A layered defense is critical, whether that's combining multiple security tools in the cloud or beefing up endpoint protections.