Cybersecurity analysts at Proofpoint have recently discovered that there might be a way to encrypt files on SharePoint and OneDrive by exploiting a feature in the Microsoft 365 suite.
As a result, enterprises could leave themselves open to cyber attacks such as ransomware. Attackers are going to build their hard drive campaigns on this new target in order to divert their attention away from endpoints and network drives after failing to succeed during their endpoint attacks.
Due to this new target, they may have a less difficult time coping with the cloud infrastructure. Here’s what cybersecurity experts at Proofpoint stated:-
“Until now, IT and security teams felt that cloud drives would be more resilient to ransomware attacks. After all, the now-familiar “AutoSave” feature along with versioning and the good old recycle bin for files should have been sufficient as backups. However, that may not be the case for much longer.”
Attack Chain
In order for this attack to succeed, the compromised user’s accounts must be encrypted as soon as it is executed. In the same way as during an endpoint ransomware attack, decryption keys are required to recover those files.
Moreover, using the Microsoft API, CLI scripts, and PowerShell scripts, the actions outlined below can be automated:-
- Initial Access: Compromise or hijack the identity of one or more users in order to gain access to their respective SharePoint Online or OneDrive accounts.
- Account Takeover & Discovery: By doing this, any files owned or controlled by the compromised user or by the third-party app that has OAuth access will be accessible to the attacker.
- Collection & Exfiltration: To keep things simple it allows to reduce the number of versions that the files could have, such as 1. By doing so, it makes the file encrypted more than the number of times it can be updated.
- Monetization: In the cloud account, the only versions left are the encrypted versions of the files, erasing all original versions. A ransom note will be issued at this point to the company by the attacker.
Response from Microsoft
Proofpoint has already informed Microsoft that it is concerned about the misuse of the version numbering setting feature. However, Microsoft contends that this ability to configure the version numbering settings is intended to be used.
While this issue has been de-emphasized by Microsoft, claiming that some older versions of the files could possibly be recovered. With the help of Microsoft Support, you may even be able to restore the files for up to an additional 14 days.
You can follow us on Linkedin, Twitter, Facebook for daily Cybersecurity and hacking news updates.
