Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats

04:00 PM
Connect Directly

Cerber Strikes With Office 365 Zero-Day Attacks

Ransomware variant continues its success through chameleon-like reinvention.

Variants of Cerber ransomware are pivoting yet again, this time targeting Office 365 email users with a zero-day attack that security experts say likely impacted millions of business users last week. According to a new report from cloud security provider Avanan today, Cerber changed up its attack M.O., shifting gears to utilize a zero-day attack that bypasses Office 365's built-in security tools and hammering Office 365 email users with a phishing campaign.

While Avanan couldn't measure the infection rate, it said that the campaign hit approximately 57 percent of organizations that it services that use Office 365. It said that the attack was detected by customers using Check Point's SandBlast Zero-Day Protection on the Avanan platform, with most traditional antiviruses not detecting the cloud email attack when it was initially found.

 “Many users of cloud email programs believe they 'outsourced' everything to Microsoft or Google, including security,” explains Gil Friedrich, CEO of Avanan. “The reality is that hackers first make sure their malware bypasses major cloud email providers' security measures, and so most new malware goes through cloud email programs undetected."

Like many successful ransomware variants, Cerber has maintained its high infection rates through constant reinvention and innovation. First cropping up at the end of February this year, Cerber initially made headway distributed through malvertising that was driven by the Magnituted and Nuclear exploit kits' use of Flash zero-day exploits, according to Trend Micro and FireEye researchers.  

By May, Cerber was seen delivered frequently by Dridex in spam campaigns that were seeking to drop the malware via malicious Microsoft Office documents taking advantage of macro vulnerability exploits, according to FireEye. And earlier this month, researchers with Invincea warned that Cerber was utilizing a polymorphic "hash factory" technique to change payloads on the fly as often as every 15 seconds in order to evade signature-based detection.

"When we tried to duplicate the download for this variant, we noticed that the hash we received from the payload delivery server had a different hash than the one in the event above. When we downloaded it a third time, there was yet another hash," wrote Pat Belcher with Invincea about their findings. "Fifteen seconds later, there was another, and then another. In all we downloaded over 40 uniquely hashed Cerber payloads – all with different hashes. It appeared we were dealing with a server-side malware factory."

Among all of the derivations, one unique factor seems to be threaded through all of the Cerber attacks.  The ransomware is designed to deliver its ransom demand via a spoken voice note that plays when a victim tries to open a file.

Related Content:


Ericka Chickowski specializes in coverage of information technology and business innovation. She has focused on information security for the better part of a decade and regularly writes about the security industry as a contributor to Dark Reading.  View Full Bio

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
Microsoft Patches Wormable RCE Vulns in Remote Desktop Services
Kelly Sheridan, Staff Editor, Dark Reading,  8/13/2019
The Mainframe Is Seeing a Resurgence. Is Security Keeping Pace?
Ray Overby, Co-Founder & President at Key Resources, Inc.,  8/15/2019
GitHub Named in Capital One Breach Lawsuit
Dark Reading Staff 8/14/2019
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Current Issue
7 Threats & Disruptive Forces Changing the Face of Cybersecurity
This Dark Reading Tech Digest gives an in-depth look at the biggest emerging threats and disruptive forces that are changing the face of cybersecurity today.
Flash Poll
The State of IT Operations and Cybersecurity Operations
The State of IT Operations and Cybersecurity Operations
Your enterprise's cyber risk may depend upon the relationship between the IT team and the security team. Heres some insight on what's working and what isn't in the data center.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2019-08-20
In the Linux kernel, a certain net/ipv4/tcp_output.c change, which was properly incorporated into 4.16.12, was incorrectly backported to the earlier longterm kernels, introducing a new vulnerability that was potentially more severe than the issue that was intended to be fixed by backporting. Specifi...
PUBLISHED: 2019-08-20
FlightPath 4.8.3 has XSS in the Content, Edit urgent message, and Users sections of the Admin Console. This could lead to cookie stealing and other malicious actions.
PUBLISHED: 2019-08-20
Roundcube Webmail through 1.3.9 mishandles Punycode xn-- domain names, leading to homograph attacks.
PUBLISHED: 2019-08-20
FUEL CMS 1.4.4 has XSS in the Create Blocks section of the Admin console. This could lead to cookie stealing and other malicious actions. This vulnerability can be exploited with an authenticated account but can also impact unauthenticated visitors.
PUBLISHED: 2019-08-20
FUEL CMS 1.4.4 has CSRF in the blocks/create/ Create Blocks section of the Admin console. This could lead to an attacker tricking the administrator into executing arbitrary code via a specially crafted HTML page.