A Microsoft Office 365 feature could help ransomware hackers hold cloud files hostage

A “dangerous piece of functionality” has been discovered in the Microsoft 365 suite that could potentially be exploited by a malicious actor to buy loose files stored on SharePoint and OneDrive and launch attacks on cloud infrastructure.

The cloud ransomware attack allows file-encrypting malware to launch to “encrypt files stored on SharePoint and OneDrive in a way that renders them unrecoverable without special backups or a decryption key from the attacker,” Proofpoint said in a report published today.

The infection series can be executed using a combination of Microsoft APIs, Command Line Interface (CLI) scripts and PowerShell scripts, the company’s security firm added.

At its core, the attack relies on a Microsoft 365 feature called AutoSave that creates copies of older file versions when users make edits to a file stored on OneDrive or SharePoint Online.

It starts with gaining unauthorized access to a target user’s SharePoint Online or OneDrive account, followed by misuse of the access to exfiltrate and encrypt files. The three most common ways to get the first foot in the door are directly penetrating the account via phishing or brute-force attacks, tricking a user into authorizing a rogue third-party OAuth application, or taking over the web session of a logged-in user.

But where this attack differs from traditional endpoint ransomware activity is that the encryption phase requires every file on SharePoint Online or OneDrive to be locked more than the allowed version limit.

Microsoft elaborates on the version behavior in its documentation as follows:

Some organizations allow unlimited versions of files and others apply restrictions. You may discover, after checking the latest version of a file, that an old version is missing. If your most recent version is 101.0 and you notice that there is no more version 1.0, it means that the administrator has configured the library to allow only 100 primary versions of a file. The addition of the 101st version causes the first version to be removed. Only versions 2.0 through 101.0 remain. Similarly, if a 102nd version is added, only versions 3.0 through 102.0 remain.

Using account access, an attacker could create too many versions of a file or lower the version limit of a document library to a low number, such as “1” and then proceed to encrypt each file twice.

“Now all the original (pre-attacker) versions of the files are lost, leaving only the encrypted versions of each file in the cloud account,” the researchers explained. “At this point, the attacker can demand a ransom from the organization.”

Microsoft pointed out in response to the findings that older versions of files may be able to be recovered and restored for another 14 days with the help of Microsoft Support, a process Proofpoint found unsuccessful.

A Microsoft spokesperson told The Hacker News, “This technique requires that a user has already been fully compromised by an attacker. We encourage our customers to practice safe computing habits, including caution when clicking links to web pages, opening unknown file attachments or accepting file transfers.”

To mitigate such attacks, it is recommended to enforce strong password policies, require multi-factor authentication (MFA), prevent large-scale data downloads to unmanaged devices, and maintain periodic external backups of cloud files containing sensitive data.

For its part, the tech giant further drew attention to a OneDrive ransomware detection feature that notifies Microsoft 365 users of a possible attack and allows victims to recover their files. Microsoft also encourages business users to use conditional access to block or limit access to SharePoint and OneDrive content from unmanaged devices.

“Files stored in a hybrid state on both endpoint and cloud, such as via cloud sync folders, will reduce the impact of this new risk because the attacker will not have access to the local/endpoint files,” the researchers said. “To execute a full ransomware, the attacker must compromise the endpoint and cloud account to gain access to the endpoint and files stored in the cloud.”

Source: thehackernews