(416) 825-2120
info@veiliant.com
Free IT Assessment
  • About
  • Services
    • Fully Managed IT
    • Cloud Services
    • Software Development
    • Business Continuity
    • Cyber Security
    • Professional IT Consulting
  • Our Team
  • Blog
  • Contact
Remote Support

Microsoft Office 365 Feature Can Help Cloud Ransomware Attacks

Posted on 16 Jun at 5:39 pm

Security researchers are warning that threat actors could hijack Office 365 accounts to encrypt for a ransom the files stored in SharePoint and OneDrive services that companies use for cloud-based collaboration, document management and storage.

A ransomware attack targeting files on these services could have severe consequences if backups aren’t available, rendering important data inaccessible to owners and working groups.

Version numbering tricks

Researchers at cybersecurity company Proofpoint note in a report today that the success of the attack relies on abusing the “AutoSave” feature that creates cloud backups of older file versions when users make edits.

The only prerequisite for encrypting SharePoint and OneDrive files is to compromise Office 365 accounts, which is easily done through phishing or malicious OAuth apps.

After hijacking an account, attackers can use Microsoft APIs and PowerShell scripts to automate malicious actions on large document lists.

The trick to finish the file locking stage quicker and make recovery more difficult is to reduce the version numbering limit and encrypt all files more than that limit.

This task does not require administrative privileges and can be done from any hijacked account. As an example, the researchers say that an adversary could reduce the number of file versions to “1” and encrypt the data twice.

Versioning setting on document lists
Versioning setting on document lists (Microsoft)

With a file version limit set to “1,” when the attacker encrypts or edits the file twice, the original document will no longer be available through OneDrive and cannot be restored.

Another way is to use automated scripts to edit files 501 times, which is above the maximum 500 limit in OneDrive for storing file versions. While this method is “louder” and might trigger some alerts, it still counts as a valid approach.

Cloud ransomware attack chain
Cloud ransomware attack chain (Proofpoint)

With the document encryption complete, the threat actor can now request a ransom from the victim in exchange for unlocking the files.

Stealing the original documents before encrypting them to put more pressure on the victim under the threat of leaking the data, is also feasible and may prove effective, especially if backups exist.

Microsoft’s response

Proofpoint informed Microsoft of the potential for abuse of the version numbering setting, but the tech giant maintains that this configuration ability is the intended functionality.

Moreover, Microsoft told Proofpoint that in cases of unexpected data loss like in the above attack scenario, support agents could help with recovery up to 14 days after the incident. However, Proofpoint reports that it attempted to restore files using that method and failed.

For organizations that might be targeted by these cloud attacks, the best security practices include:

  • using multi-factor authentication,
  • keeping regular backups,
  • hunting for malicious OAuth apps and revoking tokens, and
  • adding “increase of restorable versions immediately” to the incident response list.
Previous Post
Microsoft: Windows Update to Permanently Disable Internet Explorer
Next Post
Microsoft Exchange Servers Worldwide Backdoored with New Malware

Recent Posts

  • Microsoft Patches Windows DogWalk Zero-day Exploited in Attacks August 9, 2022
  • Microsoft Defender Now Better at Blocking Ransomware on Windows 11 August 2, 2022
  • VMware Urges Admins to Patch Critical Auth Bypass Bug Immediately August 2, 2022
  • Microsoft Exchange Servers Increasingly Hacked with IIS Backdoors July 26, 2022
  • Microsoft warns Windows 10 USB Printing Breaks Due to Recent Updates July 25, 2022

Categories

  • Cybersecurity (81)
  • Machine Learning (1)
  • News (39)
  • Robotic Process Automation (4)

Partners and Affiliates

Manufacturers matter. We partner with industry leaders that focus on business technology solutions. Let us help you find the right fit for your organization. Our partners offer great support, education, and benefits that we pass down to our clients.

 

About Us

Veiliant Inc. is a Managed Service Provider that offers many flexible services. We strive to meet the growing demand for computer support services needed for business success.

Veiliant has a proactive approach to help create innovative solutions devised  with your business goals in mind.

Our Services

  • Fully Managed IT
  • Cloud Services
  • Software Development
  • Business Continuity
  • Professional IT Consulting
  • Cyber Security

Related Links

  • FAQ
  • Privacy Policy

Contact Information

5155 Spectrum Way, Unit 1, Mississauga, ON, L4W 5A1
(416) 825-2120

Customer Support

  • Remote Support
  • Free IT Assessment

© 2022 Veiliant Inc. All rights reserved.