Security researchers recently found an existing file version control functionality in Microsoft 365 and Office 365 enables threat actors to encrypt files stored with ransomware. The process used to encrypt these files can make them unrecoverable when proper backup is not used or without a decryption key from the threat actor.
What is the threat?
Files stored in SharePoint Online and OneDrive within the Microsoft 365 and Office 365 suites can be encrypted by threat actors by taking advantage of an existing Microsoft 365 functionality. Security researchers described an attack chain which explains the methods an attacker can take to encrypt these files within compromised users’ accounts. The first method is to gain initial access to one or more users’ SharePoint Online or OneDrive accounts through compromising or hijacking the users’ identities. The second method is using Account Takeover and Discovery in which attackers have access to all files contained within the compromised account. The third method is Collection and Exfiltration where it limits the versioning of files to a low number such as 1. With a number limit set to 1, the file would be encrypted twice. The fourth method is Monetization in which all the original file versions, prior to the attack, are lost; leaving only the encrypted versions in the cloud account.
Why is it noteworthy?
SharePoint Online and OneDrive are two of the most popular enterprise cloud apps used amongst many organizations. The attack chain described by researchers indicates that ransomware actors can easily target organizations’ data that is stored in the cloud and initiate attacks. If an attacker gains full access to one or more users’ SharePoint Online or OneDrive accounts, they can compromise the data stored on the accounts.
What is the exposure or risk?
This only impacts Microsoft 365 SharePoint Online and OneDrive. Once an attacker gains full access to a compromised account, they can encrypt files and hold it for ransom. Any organization without a third-party backup can lose access to all their data that was stored in these cloud accounts.
What are the recommendations?
Barracuda MSP recommends the following best practices:
- Identify high risk users who are receiving higher amounts of cloud, email, and web attacks
- Consider blocking external access to Internet-facing Confluence Server and Data Center systems.
- Implement IP address access control list (ACLs) to restrict access to Internet-facing systems.
- Monitor child processes of web application processes for suspicious processes.
- Review any recent alerts related to Confluence systems you may have setup.
References
For more in-depth information about the recommendations, please visit the following links:
- https://www.proofpoint.com/us/blog/cloud-security/proofpoint-discovers-potentially-dangerous-microsoft-office-365-functionality
- https://www.darkreading.com/vulnerabilities-threats/office-365-files-stored-in-the-cloud-vulnerable-to-ransomware-encryption
If you have any questions, please contact our Security Operations Center.