Researchers have discovered a potentially dangerous functionality in Office 365 or Microsoft 365 that allows threat actors to strike with ransomware and to encrypt files stored on SharePoint and OneDrive in a way that makes them unrecoverable without dedicated backups or a decryption key from the attacker.
The researchers detailed an attack chain that allows encrypting files in the compromised users’ accounts. Also, they pointed out that the actions composing the attack chain can be automated using Microsoft APIs, command-line interface (CLI) scripts, and PowerShell scripts.
Below is the attack chain as detailed by the attackers
Initial Access: Gain access to one or more users’ SharePoint Online or OneDrive accounts by compromising or hijacking users’ identities.
Account Takeover & Discovery: The attacker now has access to any file owned by the compromised user or controlled by the third-party OAuth application.
Collection & Exfiltration: Reduce the versioning limit of files to a low number such as 1, to keep it easy. Encrypt the file more times than the versioning limit. With the example limit of 1, encrypt the file twice. This step is unique to cloud ransomware compared to the attack chain for endpoint-based ransomware. In some cases, the attacker may exfiltrate the unencrypted files as part of a double extortion tactic.
Monetization: Now all original (pre-attacker) versions of the files are lost, leaving only the encrypted versions of each file in the cloud account. At this point, the attacker can ask for a ransom from the organization.
Three most common Initial access to SharePoint Online and OneDrive user accounts
- Account compromise
- Third-party OAuth applications
- Hijacked sessions
Researchers said that the attack abuses the “AutoSave” feature that creates cloud backups of older file versions when users edit a file stored on OneDrive or SharePoint Online.
A list is a Microsoft web part that stores content such as tasks, calendars, issues, photos, files, and more within SharePoint Online. OneDrive accounts are used mainly to store documents. While the Document library is the term most associated with OneDrive. It is a special type of list on a SharePoint site or OneDrive account where you can upload, create, update, and collaborate on documents with team members. The version settings for lists and document libraries are both found under list settings
By design, when you reduce the document library version limit, any further changes to the files in the document library will result in older versions becoming very hard to restore.
There are two ways to abuse the versioning mechanism to achieve malicious aims – creating too many versions of a file or reducing the version limits of a document library. Edits that increment a version of a file include changes to the document contents, filename, file metadata, and the file encryption status.
Microsoft downplayed the issue stating that older versions of files can be potentially recovered and restored for an additional 14 days with the assistance of Microsoft Support.
Researchers attempted to retrieve and restore old versions through the above process and were not successful. Secondly, even if the versioning settings configuration workflow is as intended, it can be abused by attackers toward cloud ransomware aims.
This research work was conducted and reported by Proofpoint Security firm