Researchers are warning attackers can abuse Microsoft Office 365 functionality to target files stored on SharePoint and OneDrive in ransomware attacks.
Those files, stored via “auto-save” and backed-up in the cloud, typically leave end users with the impression data is shielded from a ransomware attack. However, researchers say that is not always the case and files stored on SharePoint and OneDrive can be vulnerable to a ransomware attack.
The research comes from Proofpoint, which lays out what it say is “potentially dangerous piece of functionality” in a report released last week.
“Proofpoint has discovered a potentially dangerous piece of functionality in Office 365 or Microsoft 365 that allows ransomware to encrypt files stored on SharePoint and OneDrive in a way that makes them unrecoverable without dedicated backups or a decryption key from the attacker,” according to researchers.
How the Attack Chain Works
The attack chain assumes the worst and starts with an initial compromise of an Office 365 user’s account credentials. This leads to an account takeover, then discovery of data within the SharePoint and OneDrive environment and eventually a breach of data and ransomware attack.
Why this is a big deal, argues Proofpoint, is that tools such as cloud backups via Microsoft’s “auto-save” feature have been part of a best-practices for preventing a ransomware attack. Should data be locked-up on an endpoint, there would be a cloud backup to save the day. Configuring how many versions of a file is save in on OneDrive and SharePoint further reduces the damage an attack. The likelihood of and adversary encrypting previous versions of a file stored online reduces the likelihood of a successful ransomware attack.
Proofpoint says these precautions can be sidestepped via an attacker modifying versioning limits, which allows an attacker to encrypt all known versions of a file.
“Most OneDrive accounts have a default version limit of 500 [version backups]. An attacker could edit files within a document library 501 times. Now, the original (pre-attacker) version of each file is 501 versions old, and therefore no longer restorable,” researchers wrote. “Encrypt the file(s) after each of the 501 edits. Now all 500 restorable versions are encrypted. Organizations cannot independently restore the original (pre-attacker) version of the files even if they attempt to increase version limits beyond the number of versions edited by the attacker. In this case, even if the version limit was increased to 501 or more, the file(s) saved 501 versions or older cannot be restored,” they wrote.
An adversary with access to compromised accounts can abuse the versioning mechanism found under the list settings and affects all the files in the document library. The versioning setting can be modified without requiring administrator privilege, an attacker can leverage this by creating too many versions of a file or encrypting the file more than the versioning limit. For instance, if the reduced version limit is set to 1 then the attacker encrypts the file twice. “In some cases, the attacker may exfiltrate the unencrypted files as part of a double extortion tactic, ” said researchers
When asked, Microsoft commented “the configuration functionality for versioning settings within lists is working as intended,” according to Proofpoint. It added “older versions of files can be potentially recovered and restored for an additional 14 days with the assistance of Microsoft Support,” researchers quote Microsoft.
Researchers countered in a statement: “Proofpoint attempted to retrieve and restore old versions through this process (i.e., with Microsoft Support) and was not successful. Secondly, even if the versioning settings configuration workflow is as intended, Proofpoint has shown that it can be abused by attackers towards cloud ransomware aims.”
Steps to Secure Microsoft Office 365
Proofpoint recommends users fortify their Office 365 accounts by enforcing a strong password policy, enabling multi-factor authentication (MFA), and regularly maintaining the external backup of sensitive data.
The researcher also suggested the ‘response and investigation strategies’ that should be implemented if a change in configuration is triggered.
- Increase the restorable versions for the affected document libraries.
- Identify the high-risk configuration that is altered and previously compromised accounts.
- OAuth tokens for any suspicious third-party apps should be revoked immediately.
- Hunt for policy violation patterns across cloud, email, web, and endpoint by any user.
“Files stored in a hybrid state on both endpoint and cloud such as through cloud sync folders will reduce the impact of this novel risk as the attacker will not have access to the local/endpoint files,” the researchers said. “To perform a full ransom flow, the attacker will have to compromise the endpoint and the cloud account to access the endpoint and cloud-stored files.”