U.S. CISA adds a Microsoft SharePoint Server flaw to its Known Exploited Vulnerabilities catalog|430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|Oracle E-Business Suite Flaw Under Active Attack, 950 Systems Exposed|Azure CLI Targeted in LSHIY Password Spray Campaign Across 64 Orgs|CISA Warns BlueHammer Flaw Is Now Exploited in Ransomware Attacks|RustDuck: The Botnet That’s Still Small but Engineering Like It Plans to Grow|GuardFall Flaw Hits 10 of 11 Popular Open-Source AI Agents|XSS.is, The Forum That Ran the Ransomware Supply Chain Is Down. The Market Isn’t|U.S. CISA adds SimpleHelp flaw to its Known Exploited Vulnerabilities catalog|Hackers Steal Data of 4.38 Million Aflac Japan Customers|U.S. CISA adds a Microsoft SharePoint Server flaw to its Known Exploited Vulnerabilities catalog|430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|Oracle E-Business Suite Flaw Under Active Attack, 950 Systems Exposed|Azure CLI Targeted in LSHIY Password Spray Campaign Across 64 Orgs|CISA Warns BlueHammer Flaw Is Now Exploited in Ransomware Attacks|RustDuck: The Botnet That’s Still Small but Engineering Like It Plans to Grow|GuardFall Flaw Hits 10 of 11 Popular Open-Source AI Agents|XSS.is, The Forum That Ran the Ransomware Supply Chain Is Down. The Market Isn’t|U.S. CISA adds SimpleHelp flaw to its Known Exploited Vulnerabilities catalog|Hackers Steal Data of 4.38 Million Aflac Japan Customers|
Advertisement

Ad Placeholder

Full Width × 90

Breaking News

cuteRansomware leverages Google Docs to avoid detection

A newly strain of ransomware dubbed cuteRansomware leverages on a Google Doc to host the decryption key and command-and-control features. A recently discovered strain of ransomware, dubbed cuteRansomware, shows that your enterprise isn’t the only one thinking about cloud transition. Modern day hackers are loving the Cloud too. The cuteRansomware was discovered by Netskope security firm which observes an increase […]

cuteRansomware leverages Google Docs to avoid detection

A newly strain of ransomware dubbed cuteRansomware leverages on a Google Doc to host the decryption key and command-and-control features.

A recently discovered strain of ransomware, dubbed cuteRansomware, shows that your enterprise isn’t the only one thinking about cloud transition. Modern day hackers are loving the Cloud too. The cuteRansomware was discovered by Netskope security firm which observes an increase in the number of malware leveraging on cloud apps as a delivery mechanism.

Most ransomware has a Command and Control (C&C) structure and a location for hosting the decryption key. Google Docs became precisely this location for this Chinese modified malware.

“Netskope has detected and reported on an increase in cloud apps as a delivery mechanism for ransomware, particularly in obfuscated JavaScript as well as Microsoft Word documents using macros functions.” states Netskope.

A few months ago, experts from Netskope noticed that a user with a GitHub account “aaaddress1” published source code for a ransomware module based on C# called “my-Little-Ransomware.” The malware became popular and others began using it. A security researcher at AVG spotted a malicious modified Chinese version of my-Little-Ransomware, that it dubbed “cuteRansomware” because of the mutex name used by the original author.

Though basic in nature it proves to be hard to track because Google Docs uses HTTPS to transfer data and is hard to detect by basic End Point security and Perimeter guards like firewall, intrusion detection systems, intrusion prevention systems and even the Next Gen firewall.

“Moreover, the use of a popular cloud app like Google Docs presents another challenge. For organizations using Google Docs as a productivity tool, it’s virtually impossible to block it outright. To prevent this ransomware from using Google Docs, you need to be able to selectively block the specific app instance associated with this ransomware while allowing your sanctioned instance of Google Docs to continue working.” continues Netskope

cuteransomware

Let’s state why the cuteRansomware represents a problem :

  • Lack of visibility in SSL cryptographic protocol.
  • Highly used tools in many organizations like Google Docs could be  hard to stop. Thus productivity would get affected. 
  • Cloud service providers will need to monitoring of their products.
  • Today it’s Google Docs, tomorrow it could be Office 365. Microsoft’s Office 365 is a more preferred tool to use when it comes to SaaS by companies.
  • Cyber actors will now transition to cloud for C&C and hosting other attacks.

Tough days ahead

In June, Martin Lee, the technical lead of Cisco’s Talos Security Intelligence and Research Group commented that malware is “taking kidnap and moving it to the 21st century” An apt analogy considering that the threat landscape is truly evolving.

About the Author: Joshua Bahirvani

Joshua Bahirvani 2Cyber Security Enthusiast and believer of Privacy in this Digital Age.

LinkedIn : https://in.linkedin.com/in/jbahirvani15

Peerlyst: https://www.peerlyst.com/users/joshua-bahirvani

Twitter : @B15joshua

Medium : @jbahirvani15

 

[adrotate banner=”9″]

Pierluigi Paganini

(Security Affairs – cuteRansomware, cybercrime)