A ‘potentially dangerous’ functionality in Office 365 and Microsoft 365 has been discovered that allows ransomware to encrypt files stored on SharePoint and OneDrive in a way that makes them unrecoverable without dedicated backups or a decryption key from the attacker.
Cyber security firm Proofpoint said it focused its research on SharePoint Online and OneDrive within the 365 suites, finding that hackers can target an organisation’s data in the cloud, as well as launch attacks on cloud infrastructure.
RELATED RESOURCE
Securing endpoints amid new threats
Ensuring employees have the flexibility and security to work remotely
“Once executed, the attack encrypts the files in the compromised users’ accounts,” the Proofpoint team explained. “Just like with endpoint ransomware activity, those files can then only be retrieved with decryption keys.”
The vendor identified and laid out details of the attack chain, which it says can be automated using Microsoft APIs, command line interface (CLI) scripts and PowerShell scripts.
First, the attacker will gain access to one or more users’ SharePoint Online or OneDrive accounts by compromising or hijacking users’ identities. That enables an account takeover, providing access to any file owned by the compromised user or controlled by the third-party OAuth application, including the user’s OneDrive account.
The attacker will then reduce version limits of these files to a low number – such as 1 – and then encrypt each by more than that figure.
“This step is unique to cloud ransomware compared to the attack chain for endpoint-based ransomware,” Proofpoint noted. “In some cases, the attacker may exfiltrate the unencrypted files as part of a double extortion tactic.”
Finally, this will then leave only the encrypted versions of the files in the account, enabling the attacker to monetise the situation and demand a ransom from the business.
To help counter this form of cloud ransomware attack, the vendor advised businesses use software that detects risky file configuration changes in Office 365 as user changes are not common behaviour. If a user makes these changes unknowingly, they should be made aware and asked to increase the version limit.
The cyber security firm also advised to improve security hygiene around ransomware, as well as ensure response and investigation measures incorporate Office 365 and Microsoft 365.
Proofpoint added that it has made the discovery known to Microsoft, but the flaw currently remains open for exploitation. In response, Microsoft said the configuration functionality for versioning settings is working as intended, while older versions of files are potentially able to be restored for an additional 14 days via Microsoft Support.
However, Proofpoint said attempts to retrieve and restore old versions using this process and “were not successful.”
-
TPUs: Google's home advantageITPro Podcast How does TPU v7 stack up against Nvidia's latest chips – and can Google scale AI using only its own supply?
-
Microsoft Excel is still alive and kicking at 40News A recent survey found Gen Z and Millennial finance professionals have a strong “emotional attachment” to Microsoft Excel
-
15-year-old revealed as key player in Scattered LAPSUS$ HuntersNews 'Rey' says he's trying to leave Scattered LAPSUS$ Hunters and is prepared to cooperate with law enforcement
-
The Scattered Lapsus$ Hunters group is targeting Zendesk customers – here’s what you need to knowNews The group appears to be infecting support and help-desk personnel with remote access trojans and other forms of malware
-
Impact of Asahi cyber attack laid bare as company confirms 1.5 million customers exposedNews No ransom has been paid, said president and group CEO Atsushi Katsuki, and the company is restoring its systems
-
Security experts claim the CVE Program isn’t up to scratch anymore — inaccurate scores and lengthy delays mean the system needs updatedNews CVE data is vital in combating emerging threats, yet inaccurate ratings and lengthy wait times are placing enterprises at risk
-
The US, UK, and Australia just imposed sanctions on a Russian cyber crime group – 'we are exposing their dark networks and going after those responsible'News Media Land offers 'bulletproof' hosting services used for ransomware and DDoS attacks around the world
-
IBM AIX users urged to patch immediately as researchers sound alarm on critical flawsNews Network administrators should patch the four IBM AIX flaws as soon as possible
-
A notorious ransomware group is spreading fake Microsoft Teams ads to snare victimsNews The Rhysida ransomware group is leveraging Trusted Signing from Microsoft to lend plausibility to its activities
-
Critical Dell Storage Manager flaws could let hackers access sensitive data – patch nowNews A trio of flaws in Dell Storage Manager has prompted a customer alert
