[BreachExchange] Cerber Strikes With Office 365 Zero-Day Attacks

Mon Jun 27 23:05:30 EDT 2016

http://www.darkreading.com/vulnerabilities---threats/cerber-strikes-with-office-365-zero-day-attacks/d/d-id/1326070

Variants of Cerber ransomware are pivoting yet again, this time targeting
Office 365 email users with a zero-day attack that security experts say
likely impacted millions of business users last week. According to a new
report
<http://www.avanan.com/resources/attack-on-office-365-corporate-users-with-zero-day-ransomware-virus>
from cloud security provider Avanan today, Cerber changed up its attack
M.O., shifting gears to utilize a zero-day attack that bypasses Office
365's built-in security tools and hammering Office 365 email users with a
phishing campaign.

While Avanan couldn't measure the infection rate, it said that the campaign
hit approximately 57 percent of organizations that it services that use
Office 365. It said that the attack was detected by customers using Check
Point's SandBlast Zero-Day Protection on the Avanan platform, with most
traditional antiviruses not detecting the cloud email attack when it was
initially found.

 “Many users of cloud email programs believe they 'outsourced' everything
to Microsoft or Google, including security,” explains Gil Friedrich, CEO of
Avanan. “The reality is that hackers first make sure their malware bypasses
major cloud email providers' security measures, and so most new malware
goes through cloud email programs undetected."

Like many successful ransomware variants, Cerber has maintained its high
infection rates through constant reinvention and innovation. First cropping
up at the end of February this year, Cerber initially made headway
distributed through malvertising that was driven by the Magnituted and
Nuclear exploit kits' use of Flash zero-day exploits
<http://www.darkreading.com/vulnerabilities---threats/adobe-issues-emergency-updates-for-zero-day-flaw-in-flash-player/d/d-id/1325034>,
according to Trend Micro
<http://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/cerber-crypto-ransomware-now-uses-malicious-script-files>
and FireEye
<https://www.fireeye.com/blog/threat-research/2016/05/cerber_ransomware_partners_with_Dridex.html>
researchers.

By May, Cerber was seen delivered frequently by Dridex in spam campaigns
that were seeking to drop the malware via malicious Microsoft Office
documents taking advantage of macro vulnerability exploits, according to
FireEye. And earlier this month, researchers with Invincea
<https://www.invincea.com/2016/06/hash-factory-new-cerber-ransomware-morphs-every-15-seconds/>
warned that Cerber was utilizing a polymorphic "hash factory" technique to
change payloads on the fly as often as every 15 seconds in order to evade
signature-based detection.

"When we tried to duplicate the download for this variant, we noticed that
the hash we received from the payload delivery server had a different hash
than the one in the event above. When we downloaded it a third time, there
was yet another hash," wrote Pat Belcher with Invincea about their
findings. "Fifteen seconds later, there was another, and then another. In
all we downloaded over 40 uniquely hashed Cerber payloads – all with
different hashes. It appeared we were dealing with a server-side malware
factory."

Among all of the derivations, one unique factor seems to be threaded
through all of the Cerber attacks.  The ransomware is designed to deliver
its ransom demand via a spoken voice note that plays when a victim tries to
open a file.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20160627/a5b0b447/attachment.html>