Researchers detected a functionality in Office 365 that enables cybercriminals to ransom items stored on SharePoint and OneDrive. When the researchers informed Microsoft, they were assured that the system was functioning as designed and it is a feature rather than a vulnerability.
Files stored and updated on the cloud have long been thought to be resistant to encryption extortion — the autosave and versioning capabilities should offer enough backup capability.
Researchers at Proofpoint have displayed that this is a false assumption. They reported, “Our research focused on… SharePoint Online and OneDrive… and shows that ransomware actors can now target organizations’ data in the cloud and launch attacks on cloud infrastructure.”
There are two ways to accomplish this using the Microsoft versioning feature (which allows the user to specify the maximum number of older versions to be stored). Older versions beyond this level are designed difficult, if not impossible to recover. The first attack is more theoretical than practical, while the second is undeniably practical.
The maximum number of revisions of a document that may be saved by default is 500. Simply said, the attacker modifies and encrypts the file 501 times.
The changes do not have to be significant - just enough to cause the system to save the new (encrypted) version. All versions of the document will be encrypted by the completion of the procedure, and the file will be unrecoverable without the decryption key.
This is a theoretical attack. In actuality, it would be loud and easily discovered. The second method is more practical: utilise the built-in user-controlled versioning tool to reduce the number of stored versions to one.
Every SharePoint and OneDrive document library includes a user-configurable parameter for the number of stored versions, which can be found under list settings for each document library.
Setting the version limit to zero does not help an attacker since it does not erase older versions that the user can still recover.
If the limit is set to one, the file only has to be encrypted twice before the user loses access to its contents. If information is exfiltrated before encryption, the attacker has the option of launching a second extortion attempt.
The attack chain includes initial access via compromised or hijacked user identities, account takeover and discovery, versioning reduction, file exfiltration, and encryption, and extortion.
If the file owner keeps a local copy of the file, the impact of this attack will be limited. In this case, the attacker must compromise both the endpoint and the cloud account to ensure success.
Proofpoint followed the Microsoft disclosure route and submitted the vulnerability to Microsoft before publicly revealing it.
Microsoft stated that, first, the versioning settings function properly, and that, second, previous versions of files can potentially be retrieved and restored for an additional 14 days with the aid of Microsoft Support.
“However,” write the researchers, “Proofpoint attempted to retrieve and restore old versions through this process (i.e., with Microsoft Support) and was not successful. Secondly, even if the versioning settings configuration workflow is as intended, Proofpoint has shown that it can be abused by attackers towards cloud ransomware aims.”
Therefore, the conclusion of the story is straightforward do not think files saved and updated in the cloud are immune to extortion attempts. Ransomware mitigation procedures must still be in place.