Security firm Proofpoint has uncovered what it calls a “potentially dangerous piece of functionality” in Microsoft Office 365 that allows ransomware to encrypt files stored on SharePoint and OneDrive in a way that renders them unrecoverable without dedicated backups or a decryption key from the attacker.
Ransomware attacks typically have traditionally targeted data across endpoints or network drives.
How the attack works
SharePoint and OneDrive are two of the most popular enterprise cloud apps. Once executed, the attack encrypts the files in the compromised users’ accounts. Similar to any endpoint ransomware activity, those files can only be recovered with decryption keys.
These actions can be automated using Microsoft APIs, command-line interface (CLI) scripts and PowerShell scripts, Proofpoint said.
- Initial Access: Gain access to one or more users’ SharePoint Online or OneDrive accounts by compromising or hijacking users’ identities.
- Account Takeover & Discovery: The attacker now has access to any file owned by the compromised user or controlled by the third-party OAuth application (which would include the user’s OneDrive account as well).
- Collection & Exfiltration: Reduce versioning limit of files to a low number such as 1, to keep it easy. Encrypt the file more times than the versioning limit, in this case twice. This step is unique to cloud ransomware compared to the attack chain for endpoint-based ransomware. In some cases, the attacker may exfiltrate the unencrypted files as part of a double extortion tactic.
- Monetization: Now all original (pre-attacker) versions of the files are lost, leaving only the encrypted versions of each file in the cloud account. At this point, the attacker can ask for a ransom from the organization.
SEE: Mobile device security policy (TechRepublic Premium)
Attackers can modify list settings in containers inside SharePoint, OneDrive
A list is a Microsoft web part that stores content such as tasks, calendars, issues, photos, files, etc. within SharePoint Online. OneDrive accounts are mostly used to store documents. Document library is the term most associated with OneDrive, Proofpoint said.
A document library is a special type of list on a SharePoint site or OneDrive account where documents can be uploaded, created, updated and collaborated on with team members.
The version settings for lists and document libraries are both found under list settings. In the previously described cloud ransomware attack chain, it would be during the collection and exfiltration step that the attacker would modify the list settings. This would affect all files contained within that document library, Proofpoint said.
Document library versioning mechanism
Every document library in SharePoint Online and OneDrive has a user-configurable setting for the number of saved versions, which the site owner can change, regardless of their other roles. They don’t need to hold an administrator role or associated privileges. This is found within the versioning settings under list settings for each document library.
“By design, when you reduce the document library version limit, any further changes to the files in the document library will result in older versions becoming very hard to restore,’’ the company said.
“There are two ways to abuse the versioning mechanism to achieve malicious aims – either by creating too many versions of a file or by reducing the version limits of a document library.”
SEE: Password breach: Why pop culture and passwords don’t mix (free PDF) (TechRepublic)
Most common attack paths
Proofpoint said the three most common paths attackers would take to gain access to one or more users’ SharePoint Online or OneDrive accounts are:
- Account compromise: Directly compromising the users’ credentials to their cloud account(s) through phishing, brute force attacks, and other credential compromise tactics
- Third-party OAuth applications: Tricking a user to authorize third-party OAuth apps with application scopes for SharePoint or OneDrive access
- Hijacked sessions: either hijacking the web session of a logged-in user or hijacking a live API token for SharePoint Online and/or OneDrive
How to secure Office 365
There are a number of steps Proofpoint recommends users take to shore up their Office 365 accounts. They include improving security hygiene around ransomware and to update disaster recovery and data backup policies to reduce the losses in the event ransomware is discovered.
“Ideally, complete external backups of cloud files with sensitive data on a regular basis, the company said. “Don’t rely only on Microsoft to provide backups through versioning of document libraries.”
If risky configurations change detectors are triggered:
- Increase restorable versions for the affected document libraries in your Microsoft 365 or Office 365 settings immediately
- Identify if any previous account compromise or risky configuration change alerts for this Office 365 account
- Hunt for suspicious third-party app activity. If found, revoke OAuth tokens for malicious or unused third-party apps in the environment
- Identify if the user showcased previous out-of-policy behavior patterns across cloud, email, web, and endpoint (negligence with sensitive data, risky data manipulation, and risky OAuth app actions.)