Security Experts:

Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Malware & Threats

Researchers Discover Way to Attack SharePoint and OneDrive Files With Ransomware

Ransomware can attack data in the cloud and launch attacks on cloud infrastructure

Researchers have discovered a functionality within Office 365 that could allow attackers to ransom files stored on SharePoint and OneDrive. On disclosure to Microsoft, the researchers were told the system ‘is working as intended’. That is, it’s a feature, not a flaw.

Ransomware can attack data in the cloud and launch attacks on cloud infrastructure

Researchers have discovered a functionality within Office 365 that could allow attackers to ransom files stored on SharePoint and OneDrive. On disclosure to Microsoft, the researchers were told the system ‘is working as intended’. That is, it’s a feature, not a flaw.

It has long been considered that files stored and edited in the cloud are resilient to encryption extortion – the autosave and versioning features should provide sufficient backup capability. 

Researchers at Proofpoint have demonstrated that this is a false assumption. They report, “Our research focused on… SharePoint Online and OneDrive… and shows that ransomware actors can now target organizations’ data in the cloud and launch attacks on cloud infrastructure.”

There are two ways this can be achieved through the Microsoft versioning function (which allows the user to specify the maximum number of older versions to be stored). Old versions beyond this limit are by design difficult if not impossible to restore. The first attack is more theoretical than practical, but the second is eminently practical.

The default maximum number of versions of a document that will be stored is 500. The attacker simply edits and encrypts the file 501 times. The edits do not have to be major – just enough to make the system store the new (encrypted) version. By the end of the process, all versions of the document will be encrypted, and the file will be irrecoverable without the decryption key.

This attack is theoretical. In practice it would be noisy and prone to discovery. The second approach is more realistic – use the built-in user-controlled versioning function to minimize the number of stored versions to one. Every document library in SharePoint and OneDrive has a user-configurable setting for the number of saved versions, found within the versioning settings under list settings for each document library.

Setting the version limit to zero doesn’t work for an attacker, because it doesn’t remove existing versions which can still be recovered by the user. But if the limit is set to one, the file only needs to be encrypted twice before its content becomes inaccessible to the user. And if it is exfiltrated prior to encryption, the attacker has the option of initiating double extortion. 

The attack chain comprises initial access by compromising or hijacking user identities; account takeover and discovery; versioning reduction, file exfiltration and file encryption; and extortion.

Cloud ransomware attack chain

The impact of this attack will be reduced if the file owner maintains a local copy of the file. Here the attacker will need to compromise both the endpoint and the cloud account to ensure success.

Before publicly disclosing what it considers to be a genuine vulnerability, Proofpoint followed the Microsoft disclosure path and reported it to Microsoft. Microsoft responded that firstly, the versioning settings works as intended, and secondly, older versions of files can be potentially recovered and restored for an additional 14 days with the assistance of Microsoft Support.

“However,” write the researchers, “Proofpoint attempted to retrieve and restore old versions through this process (i.e., with Microsoft Support) and was not successful. Secondly, even if the versioning settings configuration workflow is as intended, Proofpoint has shown that it can be abused by attackers towards cloud ransomware aims.”

The moral is simple: do not assume that files stored and edited in the cloud are immune to extortion attacks. Ransomware mitigation controls still need to be in place.

RelatedBeating Ransomware With Advanced Backup and Data Defense Technologies

Related: Microsoft Patches Critical SharePoint, Exchange Security Holes

Related: PoC Released for Critical Vulnerability Exposing SharePoint Servers to Attacks

Related: Microsoft SharePoint Vulnerability Exploited in the Wild

Written By

Kevin Townsend is a Senior Contributor at SecurityWeek. He has been writing about high tech issues since before the birth of Microsoft. For the last 15 years he has specialized in information security; and has had many thousands of articles published in dozens of different magazines – from The Times and the Financial Times to current and long-gone computer magazines.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this webinar to learn best practices that organizations can use to improve both their resilience to new threats and their response times to incidents.

Register

Join this live webinar as we explore the potential security threats that can arise when third parties are granted access to a sensitive data or systems.

Register

Expert Insights

Related Content

Cybercrime

Satellite TV giant Dish Network confirmed that a recent outage was the result of a cyberattack and admitted that data was stolen.

Cybercrime

The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.

Cybercrime

No one combatting cybercrime knows everything, but everyone in the battle has some intelligence to contribute to the larger knowledge base.

Cybercrime

A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Cybercrime

The FBI dismantled the network of the prolific Hive ransomware gang and seized infrastructure in Los Angeles that was used for the operation.

Management & Strategy

Industry professionals comment on the recent disruption of the Hive ransomware operation and its hacking by law enforcement.

Malware & Threats

Threat actors are increasingly abusing Microsoft OneNote documents to deliver malware in both targeted and spray-and-pray campaigns.

Ransomware

Dole was forced to shut down systems in North America due to a ransomware attack, which has reportedly led to salad shortages in some...