Posted on June 17, 2022 at 6:23 PM
Ransomware hackers could exploit a feature in the Microsoft 365 suite to hold files hostage. The “dangerous piece of functionality” could be abused by malicious actors to ransom files stored on OneDrive and SharePoint. The same feature could be used to launch attacks on cloud infrastructure.
Ransomware hackers plan to hold cloud files hostage
Hackers are always looking for new ways to exploit online features to gain entry to user files and use them to launch attacks such as ransomware. A recent report from Proofpoint said that the cloud ransomware attack allowed for file-encrypting malware that could unveil a wide range of malicious attacks.
The report released on June 16 said that the malware can “encrypt files stored on SharePoint and OneDrive in a way that makes them unrecoverable without dedicated backups or a decryption key from the attacker.”
According to the company, the infection sequence can be conducted through a combination of different features ranging from command-line interface (CLI) scripts, Microsoft APIs, and PowerShell scripts.
The attack mainly revolves around a feature on Microsoft 365 known as AutoSave. This feature releases copies of the older file versions whenever the user changes the files stored on SharePoint Online or OneDrive.
The attackers start the exploit by gaining unauthorized access to the user’s SharePoint Online or OneDrive account. The attackers then exploit access to exfiltrate and exploit the accessed files.
The attackers gain access to these user files through three main methods. These include a direct breach of the user’s account through brute force attacks or phishing, infiltrating the web session of a user that has already logged into the platform, or manipulating a user to authorize a malicious third-party OAuth application.
However, these attacks are also different from the other traditional ransomware activities. The encryption phase involves holding each file hostage on SharePoint Online or OneDrive. This happens more compared to the permitted versioning limit.
Microsoft noted that “some organizations allow unlimited versions of files and others apply limitations. You might discover, after checking in the latest version of a file, that an old version is missing. If your most recent version is 101.0 and you notice that there is no longer a version 1.0, it means that the administrator configured the library to allow only 100 major versions of a file.”
The attacker leverages the access to the account to create several versions of the file or to reduce the version limit of the document library to a lower number like 1 before encrypting every file twice.
The researchers added, “Now all original (pre-attacker) versions of the files are lost, leaving only the encrypted versions of each file in the cloud account. At this point, the attacker can ask for ransom from the organization.”
Microsoft responds to the exploit
Microsoft responded to the report on this exploit, saying that Microsoft Support could be brought in to recover and restore the older versions of files for an additional 14 days. However, the Proofpoint researchers said that this process was not successful.
“This technique requires a user to have already been fully compromised by an attacker. We encourage our customers to practice safe computing habits, including exercising caution when clicking on links to webpages, opening unknown file attachments, or accepting file transfers,” said a Microsoft spokesperson.
Users are advised to adopt safe internet practices to ensure they do not fall victim to these attacks. This includes installing a strong password and adopting a multi-factor authentication process to prevent unauthorized access to their accounts. Preventing large data downloads to unmanaged devices and maintaining periodic backups of cloud files with sensitive information will prevent such attacks from happening again.
Microsoft also urged its users to explore the OneDrive ransomware detection feature. The feature notifies users of Microsoft 365 of any potential attacks. It also allows the victims to restore the stolen files. The tech giant also urged business entities to monitor access by blocking and limiting users from accessing SharePoint and OneDrive content on unmanaged devices.
According to the Proofpoint researchers, “Files stored in a hybrid state on both endpoint and cloud such as through cloud sync folders will reduce the impact of this novel risk as the attacker will not have access to the local/endpoint files. To perform a full ransom flow, the attacker will have to compromise the endpoint and the cloud account to access the endpoint and cloud-stored files.”