Researchers are now warning attackers can abuse Microsoft Office 365 functionality to target files stored on SharePoint & OneDrive in ransomware attacks.
A reported “potentially dangerous piece of functionality” allows an attacker to launch an attack on clo -ud infrastructure & ransom files stored in SharePoint & OneDrive.
Those files, stored via “auto-save” & backed-up in the cloud, typically leave & users with the impression data is shielded from a ransomware attack.
However, researchers say that is not always the case & files stored on SharePoint & OneDrive can be vulnerable to a ransomware attack.
The research comes from Proofpoint, which lays out what it says is “potentially dangerous piece of functionality” in a report released last week.
“Proofpoint has discovered a potentially dangerous piece of functionality in Office 365 or Microsoft 365 that allows ransomware to encrypt files stored on SharePoint & OneDrive in a way that makes them unrecoverable without dedicated backups or a decryption key from the attacker,” according to researchers.
How the Attack Chain Works
The attack chain assumes the worst & starts with an initial compromise of an Office 365 user’s account credentials. This leads to an account takeover, then discovery of data within the SharePoint & OneDrive environment & eventually a breach of data & ransomware attack.
Why this is significant, argues Proofpoint, is that tools such as cloud backups via Microsoft’s “auto-save” feature have been part of a best-practices for preventing a ransomware attack. Should data be locked-up on an endpoint, there would be a cloud backup to restore from.
Reduces the Damage
Configuring how many versions of a file is save in on OneDrive & SharePoint further reduces the damage an attack. The likelihood of & adversary encrypting previous versions of a file stored online reduces the likelihood of a successful ransomware attack.
Proofpoint says these precautions can be ‘sidestepped’ via an attacker modifying versioning limits, which allows an attacker to encrypt all known versions of a file.
Default Version Limit
“Most OneDrive accounts have a default version limit of 500 [version backups]. An attacker could edit files within a document library 501 times. Now, the original pre-attacker version of each file is 501 versions old, & therefore no longer restorable,” researchers wrote.
“Encrypt the files after each of the 501 edits. Now all 500 restorable versions are encrypted.
Organisations cannot independently restore the original (pre-attacker) version of the files even if they attempt to increase version limits beyond the number of versions edited by the attacker. In this instance, even if the version limit was increased to 501 or more, the files saved 501 versions or older cannot be restored,” they wrote.
An adversary with access to compromised accounts can abuse the versioning mechanism found under the list settings & affects all the files in the document library.
The versioning setting can be modified without requiring administrator privilege, an attacker can use this by creating too many versions of a file or encrypting the file more than the versioning limit.
For example, if the reduced version limit is set to 1 then the attacker encrypts the file twice. “In some cases, the attacker may exfiltrate the unencrypted files as part of a double extortion tactic, ” stated researchers
When asked, Microsoft commented “the configuration functionality for versioning settings within lists is working as intended,” according to Proofpoint. It added “older versions of files can be potentially recovered & restored for an extra 14 days with the assistance of Microsoft Support,” researchers quote Microsoft.
Researchers countered in a statement: “Proofpoint attempted to retrieve & restore old versions through this process (i.e., with Microsoft Support) & was not successful. 2nd, even if the versioning settings configuration workflow is as intended, Proofpoint has shown that it can be abused by attackers towards cloud ransomware aims.”
Secure Microsoft Office 365
Proofpoint recommends users fortify their Office 365 accounts by enforcing a strong password policy, enabling multi-factor authentication (MFA), & regularly maintaining the external backup of sensitive data.
The researcher also suggested the ‘response & investigation strategies’ that should be implemented if a change in configuration is triggered.
- Increase the restorable versions for the affected document libraries.
- Identify the high-risk configuration that is altered & previously compromised accounts.
- OAuth tokens for any suspicious 3rd-party apps should be revoked immediately.
- Hunt for policy violation patterns across cloud, email, web, & endpoint by any user.
“Files stored in a hybrid state on both endpoint & cloud such as through cloud sync folders will reduce the impact of this novel risk as the attacker will not have access to the local/endpoint files,” the researchers commented.
“To perform a full ransom flow, the attacker will have to compromise the endpoint & the cloud account to access the endpoint & cloud-stored files.”