Cerber Strikes With Office 365 Zero-Day Attacks

Ransomware variant continues its success through chameleon-like reinvention.

Variants of Cerber ransomware are pivoting yet again, this time targeting Office 365 email users with a zero-day attack that security experts say likely impacted millions of business users last week. According to
a new report
from cloud security provider Avanan today, Cerber changed up its attack M.O., shifting gears to utilize a zero-day attack that bypasses Office 365s built-in security tools and hammering Office 365 email users with a phishing campaign.
While Avanan couldnt measure the infection rate, it said that the campaign hit approximately 57 percent of organizations that it services that use Office 365. It said that the attack was detected by customers using Check Points SandBlast Zero-Day Protection on the Avanan platform, with most traditional antiviruses not detecting the cloud email attack when it was initially found.
“Many users of cloud email programs believe they outsourced everything to Microsoft or Google, including security,” explains Gil Friedrich, CEO of Avanan. “The reality is that hackers first make sure their malware bypasses major cloud email providers security measures, and so most new malware goes through cloud email programs undetected.
Like many successful ransomware variants, Cerber has maintained its high infection rates through constant reinvention and innovation. First cropping up at the end of February this year, Cerber initially made headway distributed through malvertising that was driven by the Magnituted and Nuclear exploit kits use of
Flash zero-day exploits
, according to
Trend Micro
and
FireEye
researchers.
By May, Cerber was seen delivered frequently by Dridex in spam campaigns that were seeking to drop the malware via malicious Microsoft Office documents taking advantage of macro vulnerability exploits, according to FireEye. And earlier this month,
researchers with Invincea
warned that Cerber was utilizing a polymorphic hash factory technique to change payloads on the fly as often as every 15 seconds in order to evade signature-based detection.
When we tried to duplicate the download for this variant, we noticed that the hash we received from the payload delivery server had a different hash than the one in the event above. When we downloaded it a third time, there was yet another hash, wrote Pat Belcher with Invincea about their findings. Fifteen seconds later, there was another, and then another. In all we downloaded over 40 uniquely hashed Cerber payloads – all with different hashes. It appeared we were dealing with a server-side malware factory.
Among all of the derivations, one unique factor seems to be threaded through all of the Cerber attacks. The ransomware is designed to deliver its ransom demand via a spoken voice note that plays when a victim tries to open a file.
Related Content:
Ransomware Spikes, Tries New Tricks
Adobe Issues Emergency Updates For Zero-Day Flaw
Attackers Clobbering Victims With One-Two Punch Of Ransomware & DDos

Last News
▸ ArcSight prepares for future at user conference post HP acquisition. ◂ Discovered: 07/01/2025 Category: security	▸ Samsung Epic 4G: First To Use Media Hub ◂ Discovered: 07/01/2025 Category: security	▸ Many third-party software fails security tests ◂ Discovered: 07/01/2025 Category: security

**Cyber Security Categories**
Google Dorks Database	Exploits Vulnerability	Exploit Shellcodes

CVE List

Tools/Apps

News/Aarticles

Phishing Database

Deepfake Detection

Trends/Statistics & Live Infos

Tags:
Cerber Strikes With Office 365 Zero-Day Attacks