Cybercriminals are now hunting SharePoint and OneDrive accounts to encrypt data and extort users. While this is primarily “lucrative” for businesses, it can also affect individuals. That’s what they are doing now Proofpoint Security Researchers In the past week, researchers revealed a vulnerability in a Microsoft 365 feature that opens up new cloud-based attack vectors for hackers. Proofpoint’s findings explain how malicious actors can use basic functions in the applications to encrypt files and make ransom demands. This vulnerability gives hackers another way to attack cloud-based data and infrastructure.
It all starts with access to the cloud
The vulnerability is based on a four-step attack chain that begins with a user’s identity being compromised. For example, user accounts can be compromised by brute force or phishing attacks, improper authorization via third-party OAuth apps, or hijacked user sessions.
The attacker then uses the person’s credentials to access their SharePoint or OneDrive accounts. There it changes the version control setting and encrypts the files multiple times so that no unencrypted version of the compromised files is left behind. Once files are encrypted, they can only be accessed with the correct decryption keys – and that can get expensive.
Document changes logged
Versioning is a feature in SharePoint and OneDrive that creates a record for each file, logging all document changes and the users who made those changes. Users with appropriate permissions can view, delete, or restore previous versions of the document.
The number of versions tracked is determined by the version settings in the application. These version settings do not require administrator rights and are therefore easy for hackers to change.
More changes than saved versions
Changing the number of document versions preserved is key to this exploit. The attacker configures the version settings to keep only a desired number of versions per file. The files are then encrypted more times than the number of saved versions, leaving no recoverable backup versions.
Encryption is not the only way that version control can be exploited. Another option is to re-modify files for so long and for so long that no original file is left behind. In all cases, only the attackers can access an original and try to extort victims into paying the ransom.
It has been a long time since I joined Research Snipers. Though I have been working as a part-time tech-news writer, it feels good to be part of the team. Besides that, I am building a finance-based blog, working as a freelance content writer/blogger, and a video editor.