Ransomware could target OneDrive and SharePoint files by abusing versioning configurations
- 17 June, 2022 06:30
Researchers warn that documents hosted in the cloud might not be out of reach for ransomware actors and that while they're harder to permanently encrypt due to the automated back-up features of cloud service, there are still ways to make life hard for organisations.
Researchers from Proofpoint have devised a proof-of-concept attack scenario that involves abusing the document versioning settings in Microsoft's OneDrive and SharePoint Online services that are part of Office 365 and Microsoft 365 cloud offerings. Furthermore, since these services provide access to most of their features through APIs, potential attacks can be automated using command-line interface and PowerShell scripts.
Reducing the number of document versions
The attack chain described by Proofpoint starts with hackers compromising one or more SharePoint Online or OneDrive accounts. This can be done in a variety of ways including phishing, infecting the user's machine with malware then hijacking their authenticated sessions, or tricking users into giving a third-party application access to their account via OAuth.
Regardless of the method, this would give the attackers access to all the documents owned by the compromised user. In SharePoint this is called a document library and is basically a list that can hold multiple documents and their metadata.
One feature of documents in both OneDrive and SharePoint is file versioning, which is used by the autosave function whenever an edit is made. By default, documents can have up to 500 versions, but this setting is configurable, for example to just one.
"Every document library in SharePoint Online and OneDrive has a user-configurable setting for the number of saved versions, which the site owner can change, regardless of their other roles," the Proofpoint researchers explain. "They don’t need to hold an administrator role or associated privileges. The versioning settings are under list settings for each document library."
This opens up two methods of attacks. One is for the attacker to perform 501 edits and to encrypt the file after every change. In this way, all the previous 500 stored versions will be overwritten with encrypted versions of the document. The problem with this approach is that it's time consuming and resource intensive since the encryption operation needs to be repeated so many times.
A quicker way is to modify the versioning setting to one and then make only two changes and encrypt the file after each one. This will discard all the previously saved versions -- at least the ones directly accessible by the user or the organisation they're part of.
Limitations of the attack
One limitation of this attack are documents stored on both the user's endpoint and the cloud and synced. If the attacker doesn't have access to the endpoint as well, the file could be restored from the user's local copy.
Another potential limitation is recovery through Microsoft Support. According to Proofpoint, the company contacted Microsoft to report this abuse scenario and the company reportedly said that its customer support personnel can restore file versions going back 14 days.
This probably relies on the service's automated back-up system that is not directly accessible to users or organisations. However, the Proofpoint researchers claim they've attempted to restore old versions of documents via Microsoft Support and they were not successful.
Redmond advises organisations to monitor file configuration changes in their Office 365 account. Modifications to the versioning settings are unusual and should be treated as suspicious behaviour.
Implementing strong password policies and multi-factor authentication, reviewing third-party applications with OAuth access to accounts and having an external back-up policy that covers cloud files are also strong recommendations.