Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats

04:00 PM
Connect Directly

Cerber Strikes With Office 365 Zero-Day Attacks

Ransomware variant continues its success through chameleon-like reinvention.

Variants of Cerber ransomware are pivoting yet again, this time targeting Office 365 email users with a zero-day attack that security experts say likely impacted millions of business users last week. According to a new report from cloud security provider Avanan today, Cerber changed up its attack M.O., shifting gears to utilize a zero-day attack that bypasses Office 365's built-in security tools and hammering Office 365 email users with a phishing campaign.

While Avanan couldn't measure the infection rate, it said that the campaign hit approximately 57 percent of organizations that it services that use Office 365. It said that the attack was detected by customers using Check Point's SandBlast Zero-Day Protection on the Avanan platform, with most traditional antiviruses not detecting the cloud email attack when it was initially found.

 “Many users of cloud email programs believe they 'outsourced' everything to Microsoft or Google, including security,” explains Gil Friedrich, CEO of Avanan. “The reality is that hackers first make sure their malware bypasses major cloud email providers' security measures, and so most new malware goes through cloud email programs undetected."

Like many successful ransomware variants, Cerber has maintained its high infection rates through constant reinvention and innovation. First cropping up at the end of February this year, Cerber initially made headway distributed through malvertising that was driven by the Magnituted and Nuclear exploit kits' use of Flash zero-day exploits, according to Trend Micro and FireEye researchers.  

By May, Cerber was seen delivered frequently by Dridex in spam campaigns that were seeking to drop the malware via malicious Microsoft Office documents taking advantage of macro vulnerability exploits, according to FireEye. And earlier this month, researchers with Invincea warned that Cerber was utilizing a polymorphic "hash factory" technique to change payloads on the fly as often as every 15 seconds in order to evade signature-based detection.

"When we tried to duplicate the download for this variant, we noticed that the hash we received from the payload delivery server had a different hash than the one in the event above. When we downloaded it a third time, there was yet another hash," wrote Pat Belcher with Invincea about their findings. "Fifteen seconds later, there was another, and then another. In all we downloaded over 40 uniquely hashed Cerber payloads – all with different hashes. It appeared we were dealing with a server-side malware factory."

Among all of the derivations, one unique factor seems to be threaded through all of the Cerber attacks.  The ransomware is designed to deliver its ransom demand via a spoken voice note that plays when a victim tries to open a file.

Related Content:


Ericka Chickowski specializes in coverage of information technology and business innovation. She has focused on information security for the better part of a decade and regularly writes about the security industry as a contributor to Dark Reading.  View Full Bio

Recommended Reading:

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
7 Old IT Things Every New InfoSec Pro Should Know
Joan Goodchild, Staff Editor,  4/20/2021
Cloud-Native Businesses Struggle With Security
Robert Lemos, Contributing Writer,  5/6/2021
Defending Against Web Scraping Attacks
Rob Simon, Principal Security Consultant at TrustedSec,  5/7/2021
Register for Dark Reading Newsletters
White Papers
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2021-05-14
Password generator feature in Kaspersky Password Manager was not completely cryptographically strong and potentially allowed an attacker to predict generated passwords in some cases. An attacker would need to know some additional information (for example, time of password generation).
PUBLISHED: 2021-05-14
Cleartext storage of sensitive information in multiple versions of Octopus Server where in certain situations when running import or export processes, the password used to encrypt and decrypt sensitive values would be written to the logs in plaintext.
PUBLISHED: 2021-05-14
An HTTP Request Smuggling vulnerability in Pulse Secure Virtual Traffic Manager before 21.1 could allow an attacker to smuggle an HTTP request through an HTTP/2 Header. This vulnerability is resolved in 21.1, 20.3R1, 20.2R1, 20.1R2, 19.2R4, and 18.2R3.
PUBLISHED: 2021-05-14
Hexagon G!nius Auskunftsportal before allows SQL injection via the GiPWorkflow/Service/DownloadPublicFile id parameter.
PUBLISHED: 2021-05-13
Piwigo 11.4.0 allows admin/user_list_backend.php order[0][dir] SQL Injection.