Cybercriminals ‘following money’ amidst Office 365 migration

Convinced by the prospect of cost savings, global email access, and a round-the-clock workforce, a growing number of organisations have made the switch to Office 365, Microsoft’s cloud-based email platform.

While employees across the globe have placed their trust in Microsoft to keep their emails, attachments, Office documents, and other files safe, the cloud platform is becoming increasingly crowded with users looking to take advantage of any security gaps they can find, in order to fuel their criminal campaigns.

Cybercriminals have given no second thought to following Microsoft Exchange users into Office 365. Any company who has taken part in this mass migration has effectively given up control of its security and communications to the platform, a serious risk given its less savoury users.

Cybercriminals exploiting cloud-based solutions

Rather shockingly, the recently discovered strain of Cerber ransomware, which directly targets Office 365 users, isn’t the only weapon being used by cybercriminals to exploit cloud-based solutions. This year alone has seen hackers release cuteRansomware and Petya, two new strains of ransomware developed specifically to target Google Drive and Dropbox, respectively. The reason for the sudden uptake in ransomware being developed for cloud-based software is simple; as more organisations embrace the cloud, targeting these platforms becomes a focus for cybercriminals.

It has previously been publicly reported that up to 57 per cent of Office 365 users have been targeted by a phishing attempt that included an infected attachment. While the total number of attacks is unclear, the number is likely substantial considering there were approximately 18.2 million Office 365 subscribers at the end of 2016’s first fiscal quarter. It’s important to note this isn’t simply a case of scatter gun attacks – many large enterprises have been hit with highly targeted and sophisticated ransomware attacks, directly.

Watch out for droppers

As the frequency of ransomware attacks targeting Office 365 and other cloud-based platforms increases, the attack process is also changing. Cybercriminals are increasingly using ‘droppers’ in new and innovative ways to bypass traditional perimeter security measures, including Office 365’s seemingly robust proprietary antivirus measures. The dropper can be embedded into the structure of a document, hidden from view of many traditional security technologies, and can typically be hard coded into business files such as PDF, Word, or Excel.

Once the malicious file containing the ‘dropper’ is sent to the target as an attachment, it is accessed by the user and activates – downloading the latest version of the ransomware to the user’s machine through an encrypted session – again, hidden from traditional security technologies. As soon as the ransomware has control of the user’s machine, it makes attempts to spread to the entire business, and seize control of the data stored on its systems.

The response by companies who have been infected with this ransomware is often to pay the person demanding the ransom, as they are too PR-conscious to seek an alternative solution and feel they have no other choice, no one needs a negative headline.

This new and constantly evolving type of ransomware is particularly difficult for companies to defend against. Not only is the Office 365 security not as effective compared to normal malware, but Microsoft’s response has largely been to deny how common these attacks have become. Cybercriminals have so far been successful in staying one step ahead, constantly refining and innovating their ransomware and changing the source to ensure it stays ahead of signature and reputation based security products and services.

Having the right security in place

In order to protect against these growing ransomware attacks, organisations moving to the cloud must ensure that either they or their cloud solutions provider have the proper security infrastructure in place, before the business is migrated.

Organisations that have moved, or are planning a move, to Office 365, need to be prepared to provision their own private cloud with a cybersecurity strategy that will allow the adoption of innovative technologies. Infrastructures the size of Office 365 rarely allow for swift change, or adoption of technologies or services that have a greater impact the sooner they are deployed.

Focussing on Ransomware in particular, and deploying cloud security, staying one step ahead of innovative hackers is to choose a solution not based on traditional perimeter security solutions, but one that ensures only the known good gets through. This can be achieved through breaking file attachments down to byte-level and rebuilding versions with only elements that are known to be safe, and effectively engineering out any potential for bad exploits such as Ransomware ‘droppers’.

With IT departments feeling increasing pressure to reduce costs by migrating to the cloud, it’s crucial that they don’t fall into the trap of being the next victim of a sophisticated ransomware attack, and not assume their email service provider has it covered.

Lewis Henderson, Director, Client Engagement at Glasswall Solutions

Image Credit: hamburg_berlin / Shutterstock