A potential vulnerability has been identified in Office 365 and Microsoft 365 that could be exploited by ransomware gangs to encrypt files stored on SharePoint and OneDrive, rendering the files unrecoverable without paying the ransom if the files have not been separately backed up.
According to Proofpoint, which recently published a report on the issue, the issue relates to the auto-save feature that saves SharePoint and OneDrive files in the cloud. The researchers claim that the auto-save feature gives users the impression that their SharePoint and OneDrive files are being backed up, and that this could potentially protect them from a ransomware attack. However, they say that is not necessarily the case.
In an attack scenario where a user’s credentials are compromised, in a phishing attack for example, they could be used to remotely access the user’s Office/Microsoft 365 environment. The files stored in the account could be obtained by the attacker and then encrypted using ransomware. The auto-save feature is often used as a safeguard against ransomware attacks. In the event of files on an endpoint being encrypted, the cloud-stored files could be used to recover the encrypted data. However, the researchers described an attack scenario where file-recovery would not be possible, and it relates to versioning limits. The attacker could encrypt all versions of the file to prevent recovery.
For instance, OneDrive accounts have a default of 500 version backups. Were an attacker to edit files 501 times, there would be no valid pre-attack file to recover. If the files were then encrypted after each of those edits, all restorable versions would also be encrypted. Versioning limits can also be changed without administrative privileges. The attacker could change the versioning limit to 1, exfiltrate the file, then encrypt the file twice, ensuring recovery is not possible without paying the ransom if an independent backup of the file has not been made.
Proofpoint contacted Microsoft for a statement and was told that files can potentially be recovered for 14 days through Microsoft Support, so file recovery may be possible in such an event; however, the researchers attempted to recover files through that process and were unsuccessful.
The solution? To ensure that strong passwords are set, multi-factor authentication is enabled, and to independently backup all SharePoint and OneDrive files. The researchers also suggested that if a change in configuration is detected, the restorable versions for the affected document libraries should be increased, the high-risk configuration that is altered and previously compromised accounts should be identified, OAuth tokens for suspicious third-party apps should be revoked, and victims should search for policy violation patterns across cloud, email, web, and endpoint by any user.