'Potentially dangerous' flaw could allow ransomware attacks on Microsoft SharePoint and OneDrive
Researchers from Proofpoint says that cyberattacks could be carried out in such a way that it makes files unrecoverable
A "potentially dangerous" piece of functionality has been found in Microsoft Office 365 that could allow ransomware to encrypt files stored on SharePoint and OneDrive.
Researchers from Proofpoint says that cyberattacks could be carried out in such a way that it makes files unrecoverable without dedicated backups or a decryption key.
It says the findings show that ransomware actors can now target organisations' data in the cloud and launch attacks on cloud infrastructure.
"Ransomware attacks have traditionally targeted data across endpoints or network drives," the company said.
"Until now, IT and security teams felt that cloud drives would be more resilient to ransomware attacks. After all, the now-familiar "AutoSave" feature along with versioning and the good old recycle bin for files should have been sufficient as backups.
"However, that may not be the case for much longer."
What is the attack chain?
According to Proofpoint, researchers have identified the potential attack chain and in a blog post documented steps how attacks occur.
It claims that they can begin when intruders gain access to one or more users' SharePoint Online or OneDrive accounts by compromising or hijacking users' identities.
"The attacker now has access to any file owned by the compromised user or controlled by the third-party OAuth application," Proofpoint said.
It said the next stage involves reducing versioning limit of files to a low number such as 1.
"Encrypt the file more times than the versioning limit. With the example limit of 1, encrypt the file twice," the company claims said.
"Now all original (pre-attacker) versions of the files are lost, leaving only the encrypted versions of each file in the cloud account. At this point, the attacker can ask for a ransom from the organisation."
Proofpoint also detailed steps how organisations can protect sensitive data from action leading to cloud ransomware.
It said: "First, turn on detection of risky file configuration changes for Office 365 accounts with Proofpoint CASB. While a user can accidentally change the setting, it's not very common behaviour. In the case that users changed it unknowingly, they should be made aware of it and ask that they increase the version limit.
"This will reduce the risk of an attacker compromising users and taking advantage of already low version limits for those users' lists to ransom the organisation."
Proofpoint says it received a couple of responses from Microsoft as it followed their disclosure path.
It said: "Prior to this blog, Proofpoint followed Microsoft's disclosure path and received a couple of responses. Their claims are as follows: The configuration functionality for versioning settings within lists is working as intended. Older versions of files can be potentially recovered and restored for an additional 14 days with the assistance of Microsoft Support."