Zero DayRansomwareAttacksOffice

Follow any of the IT security news feeds this week and you could not miss the headlines about Office 365 being a target for the latest Cerber ransomware attack. According to this article from Trend Micro, this ransomware attack was hidden inside of a Microsoft Word macro which makes it challenging to detect using traditional techniques.

Millions of Microsoft Office 365 users were potentially exposed to a massive zero-day Cerber ransomware attack last week that not only included a ransom note, but an audio warning informing victims that their files were encrypted.

Steven Toole, a researcher for the cloud-security firm Avanan, blogged that his company saw the first attack roll in at 6:44 a.m. on June 22 and that at least 57 percent of all Office 365 customers on Avanan’s platform received at least one phishing attempt that contained the infected attachment and Avanan extrapolated that the same number of all Office 365 users were involved. While Avanan did not supply a specific number of those possibly hit, Microsoft reported in its first quarter 2016 earnings report that there are 18.2 million Office 365 subscribers.

In a unique twist, the ransom note was accompanied by an audio file explaining the attack and how to regain access to the files. The attacker asked for a ransom totaling 1.4 bitcoin, or about $500, for the decryption key. More information about this attack is available in the full article.

Companies focused on the security market such as Fortinet recommend that organizations use defense in depth protection, and not just enable antivirus functions alone, to protect their systems from advanced attacks using a variety of vectors for infection, spreading, and control.

How do I protect my messaging environment?

As we see more and more of our customers making the jump to the Cloud and Office 365 for their email platform we recommend they utilize a secondary gateway service in addition to the Office 365 Exchange Online Protection service to follow the defense in depth recommendations. Services such as Fortinet’s FortiMail gateway service uses multiple techniques for the detection of spam and viruses being sent by email. Apart from the more traditional anti-spam systems, FortiMail also enables scanning of the URIs in the message body and compares them with Fortinet’s Web Filtering database. Thus, if an email message contains a link to a URL associated with phishing attacks, malware delivery, etc., it can be detected even if the message itself does not come from a known malicious or compromised mail server. As a result, it can detect spam (including those bearing ransomware) that most traditional techniques would not pick up. FortiMail can also interconnect with Fortinet’s sandboxing platform (FortiSandbox). FortiSandbox allows all suspicious attachments, even those that haven’t been previously categorized, can be examined in a controlled environment. The inspection happens at near line speeds and the email doesn’t get forwarded to the recipient until it’s deemed safe. Otherwise, it is cleaned or discarded.

With new exploits being discovered every day there is always risk of being the next victim. How do you protect yourself in case you are infected?

* Subscribe to an additional SMTP gateway service that offers Advanced Threat Protection features such as Phishing detection.
* Implement a higher level of protection at the edge by using a Next Generation Firewall that can implement layer 7 scanning and other features like AV, IPS, and IDS
* Deploy features like SPF and DKIM record checking
* Use Email Encryption to send sensitive data
* Deploy policies and software to protect accessing email data from mobile devices
* Establish a backup and recovery strategy

What if you get infected?

You moved your data Office 365. That means it is protected, right? Many customers assume when moving to Office 365 that their data is being backed up like they were used to when it was on-premise. Microsoft Office 365 protects your email data through data replication, not backup. This means they commit to have a secondary copy of your data in the same local data center with a 3rd copy in a remote data center. So if you are in a situation where an exploit causes your data to be held hostage by these ransomware authors how will you recover? Will you pay the ransom or restore your data? You backed up your mailbox data when it was on-premise so why not when it is in the cloud? There are Cloud to Cloud backup services available to help you protect your Office 365 mailbox data and allow you to have a recovery strategy.

About Larry Taylor

Innovative helps you balance your business requirements, service levels, staff and infrastructure to make your IT as effective as possible. Larry Taylor is a Senior Solutions Consultant at Innovative with a focus on Microsoft technologies. Since 2002, Larry has been recommending, deploying, and providing support for organizations to align technology solutions with their business needs.

Leave a Reply

Innovative Integration can help you optimize your IT infrastructure. Request a Consultation