A few months ago, it was reported a “potentially dangerous piece of functionality” on Microsoft that allows an attacker to attack cloud infrastructure and ransom files stored in SharePoint and OneDrive.
Researchers warn that attackers can abuse Microsoft Office 365 functionality to target files stored on SharePoint and OneDrive in ransomware attacks.
Files stored in the auto-save mode and backed up in the cloud, specifically on SharePoint and OneDrive, could be vulnerable to ransom attacks, researchers from Proofpoint said in the report released last week.
“Proofpoint has discovered a potentially dangerous piece of functionality in Office 365 or Microsoft 365 that allows ransomware to encrypt files stored on SharePoint and OneDrive in a way that makes them unrecoverable without dedicated backups or a decryption key from the attacker,” according to researchers.
A description of the attack
The attack chain assumes the worst and starts with an initial compromise of an Office 365 user’s account credentials. Then continues to get access to the user’s account, and therefore all the files are autosaved or stored in SharePoint or OneDrive.
The possibility of an attacker encrypting previous versions of a file stored online minimizes the likelihood of a successful ransomware attack since that file is a late version of the updated and latest file on the cloud. This is a big deal, argues Proofpoint, because tools such as cloud backups via Microsoft’s “auto-save” feature have been part of a best-practices for preventing a ransomware attack. Considering how many versions of a file are saved on OneDrive and SharePoint should reduce the possibility of an attack.
But Proofpoint researchers say these precautions can be overcome if an attacker manages to modify the version limits, allowing the attacker to encrypt all known versions of a file.
“Most OneDrive accounts have a default version limit of 500 [version backups]. An attacker could edit files within a document library 501 times. Now, the original (pre-attacker) version of each file is 501 versions old, and therefore no longer restorable,” researchers wrote. “Encrypt the file(s) after each of the 501 edits. Now all 500 restorable versions are encrypted. Organizations cannot independently restore the original (pre-attacker) version of the files even if they attempt to increase version limits beyond the number of versions edited by the attacker. In this case, even if the version limit was increased to 501 or more, the file(s) saved 501 versions or older cannot be restored,” they wrote.
The tricky part is that if an attacker manages to compromise a user’s account, this attacker can abuse the versioning mechanism found under the list settings, affecting all the files in the document library. The versioning setting can be modified without administrator privilege; attackers can leverage this by creating too many file versions or encrypting the file more than the versioning limit. For instance, if the reduced version limit is set to 1, the attacker encrypts the file twice. “In some cases, the attacker may exfiltrate the unencrypted files as part of a double extortion tactic, ” said researchers
Steps to Secure Microsoft Office 365
Proofpoint recommends users enhance the security measures for their Office 365 accounts by enforcing a strong password policy, enabling multi-factor authentication (MFA), and regularly maintaining the external backup of sensitive data. The researcher also suggested the ‘response and investigation strategies that should be implemented if a configuration change happens.
- Increase the restorable versions for the affected document libraries.
- Identify the high-risk configuration that is altered and previously compromised accounts.
- OAuth tokens for any suspicious third-party apps should be revoked immediately.
- Hunt for policy violation patterns across cloud, email, web, and endpoint by any user.
- “Files stored in a hybrid state on both endpoint and cloud such as through cloud sync folders will reduce the impact of this novel risk as the attacker will not have access to the local/endpoint files,” the researchers said in the report. “To perform a full ransom flow, the attacker will have to compromise the endpoint and the cloud account to access the endpoint and cloud-stored files.”