Case Study – The Crux of Cerber Ransomware Infection through Office 365 : Attaining Visibility through CASB
Aditya K Sood and Rehan Jalil, Elastica Cloud Threat Labs Overview: Ransomware poses an increasing […]
Aditya K Sood and Rehan Jalil, Elastica Cloud Threat Labs
Ransomware poses an increasing risk to businesses. Though it has been around for the past several years, the frequency of attacks has increased significantly in recent months. The distribution mechanisms have become more advanced as attackers have begun using cloud storage services such as Dropbox, etc. to distribute malware. In an earlier blog we discussed the distribution of Petya Ransomware via Dropbox explaining how cloud storage services such as Dropbox facilitate the spread of infections. Recently, another ransomware threat came out in the wild named Cerber, which is distributed as an attachment sent and received by Microsoft Office 365, a cloud-based email and storage service managed by Microsoft as a part of its SaaS-based offering. In other words, all the email and storage related IT infrastructure is managed by Microsoft as a part of its cloud computing platform.
Characteristics of Cerber Ransomware
Cerber has the following characteristics:
- It performs a geo-location check to make sure the users are coming from targeted countries or regions. If the user does not belong to the targets, Cerber won’t execute. Some of the countries that are checked by Cerber are Georgia, Kyrgyzstan, Kazakhstan, and Moldova
- Many times Cerber ransomware installs itself as “autochk.exe” and compromises the boot procedures of the operating system. This is done to install itself at the time of startup.
- Cerber performs extension scanning for different files available on the disk-drive before it starts encrypting the files. It not only scans the files on the local-drive but also scans for files available in the available shared drives on the victim’s system.
Once the files are encrypted, Cerber plays an audio message to let victims know that they have been infected and that they must pay a ransom to have the data decrypted.
Understanding the Threat
Let’s first understand how the attacker distributed Cerber ransomware. There are certain facts that need clarification here:
- Cerber was not directly downloaded or distributed as an email attachment or as an executable. Rather it was embedded in a file with extension “.dotm” which represents the MS Word 2007 template file. There are some interesting functionalities associated with “.dotm” and “.dotx” word files, which are explained below:
- The majority of malware authors use “.dotm” MS word template files because template files are capable of embedding macros that can be used to perform nefarious operations such as downloading malware from remote sites, executing commands, etc.
- Files with “.dotx” extension also allow embedding of macros but when these files are opened, the underlying framework raises a warning about the embedded macros.
- Embedded macros contain scripts such as VbScript, etc. to execute a number of commands simultaneously to accomplish a task, thereby making necessary changes in the base operating system.
- The malicious “.dotm” file was delivered to the enterprise Office 365 account. The attacker may have used an Office 365 account or any account provided by a third-party email service provider, which could be an enterprise or non-enterprise account, to distribute malicious email. Alternately, the attacker could have used the stolen credentials of an enterprise user using Office 365.
Understanding the Solution
MS integrates basic Advanced Threat Protection (ATP) as shown in Figure 1 as a part of Office 365’s native security to make sure malicious files are detected up front. In reality, attackers always develop techniques to bypass existing real-time solutions to distribute malware. This fact does not diminish the importance of real-time detection solutions. Rather, it highlights the importance of attaining more visibility by implementing multiple layers of security. Generally, the security solutions can be categorized as: Type (1) to detect and prevent malware at the time of infection, or Type (2) to detect and prevent an attack when the malware has already infected the system. It also covers the post infection analysis and incident response. However, ATP alone is not sufficient to understand the complete lifecycle of malware.
Figure 1 : MS Exchanged ATP Layout
In the case of Cerber ransomware, the malware bypassed the native MS ATP and was successfully distributed. It can be assumed that sophisticated malware can bypass the basic MS ATP and defense in depth is needed to defend against advanced malware. In addition to reliably detecting advanced malware, there are several questions that need to be addressed from a security point of view in order to understand the complete attack scenario. Let’s take a look at these:
- Are there files stored in the cloud that are encrypted or modified by the malware?
- Is the malicious file (attachment) stored in a file sharing?
- Is the malware using cloud a storage application for data exfiltration?
- How many times have users downloaded the malicious file?
- How many times has the same malicious file been distributed by users?
- How many times has the same malicious file has been shared by users within specific enterprise groups?
- Is it possible to stop malicious file distribution?
- Is it possible to stop data exfiltration happening through cloud apps?
- Is it possible to detect anomalies in enterprise users’ accounts?
- Is it possible to analyze an incident over a period of time to understand how it evolved?
- and others ……….
The answers to all of these questions can be obtained through a Cloud Access Security Broker (CASB) solution with state-of-the-art advanced threat protection that should be deployed in conjunction with basic built-in ATP to understand the threats in Office 365. Figure 2 highlights how a CASB can enhance the overall security model by detecting and preventing attacks in the Office 365.
Figure 2 : MS Exchanged ATP Enhancement with CASB
In addition to MS ATP, Blue Coat Elastica provides a complete solution package which provides the effective security solution as discussed below:
- Gain granular visibility into the cloud application traffic as well as network traffic.
- Blue Coat Elastica’s provides complete visibility into cloud application traffic
Blue Coat advanced malware analysis engine, along with CloudSOC, provides the ability to scan all files in cloud applications and shared via links.
- In general, ProxySG and advanced malware analysis integration with Elastica’s CloudSOC provides enterprise users with complete visibility and policy enforcement features. Malware attacks can be either subverted, or the impact can be reduced as enterprises attain visibility into both cloud app and non-cloud app channels.