Researchers have warned that documents hosted on the cloud may not be beyond the reach of ransomware actors, and the automated backup features of the cloud service make it difficult to permanently encrypt, but there are still ways to make life difficult for companies.
Researchers from Proofpoint did A proof-of-concept attack has created the scenario Which abuses the document version settings on Microsoft’s OneDrive and SharePoint online services that are part of Office 365 and Microsoft 365 Cloud offers. Furthermore, since these services provide access to most of their features through the API, potential attacks can be automated using a command-line interface and a PowerShell script.
Decrease the number of document versions
The attack chain, described by ProofPoint, begins when hackers compromise with one or more SharePoint Online or OneDrive accounts. This can be done in a variety of ways, including phishing, infecting a user’s machine with malware and then hijacking their authenticated sessions, or tricking users into giving third-party applications access to their accounts via OAuth.
Whatever the method, it will give attackers access to all documents owned by the compromised user. In SharePoint it is called a document library and is basically a list that can hold multiple documents and their metadata.
A feature of the document in both OneDrive and SharePoint is the file version, which is used by the autosave function whenever an edit is performed. By default, the document may contain up to 500 versions, but this setting is configurable, for example in only one.
“Each document library in SharePoint Online and OneDrive has a user-configurable setting for the number of saved versions, which site owners can change regardless of their other roles,” ProofPoint researchers explained. “They do not need to have administrator roles or associated privileges. Version settings are listed under the list settings of each document library.”
This exposes the two methods of attack. One is to edit 501 for the attacker and encrypt the file after each change. That way, all previous 500 saved versions will be overwritten with the encrypted versions of the document. The problem with this method is that it is time consuming and resource intensive because the encryption operation has to be repeated many times.
A quick way is to change the version setting to 1 and then make only two changes and encrypt the file after each. This will remove all previously saved versions – at least directly accessible by the user or the organization they belong to.
Limitation of attack
One of the limitations of this attack is that the documents are stored and synced to the user’s endpoints and cloud. If the attacker also does not have access to the endpoint, the file can be recovered from the user’s local copy.
Another potential limitation is recovery through Microsoft Support. According to Proofpoint, the company contacted Microsoft to report the abuse, and the company said its customer support staff could recover file versions up to 14 days later. This may depend on the service’s automated backup system, which is not directly accessible to users or organizations. However, ProofPoint researchers claim that they tried to recover an older version of the document with Microsoft support, but were unsuccessful.
Advises companies to monitor file configuration changes in their Office 365 accounts. Changes to version settings should be considered as unusual and suspicious behavior Strong password policy and implementation of multi-factor authentication, reviewing third party applications including OAuth access to accounts, and having an external backup policy covering cloud files is also a strong recommendation.
Copyright © 2022 IDG Communications, Inc.