Laptop computer with red cloud and skull/crossbones

Microsoft cloud ‘versioning’ is the victim of ransomware attacks

Microsoft’s cloud versioning feature is at risk as encryption risks hang over the company’s cloud files. Researchers discovered a feature in Office 365 that allows attackers to encrypt SharePoint and OneDrive files. Without dedicated backups or a decryption key, data would be unrecoverable.

The target of the attack was SharePoint and OneDrive’s “versioning” feature. Users may adjust the number of archived versions of each document library in SharePoint Online and OneDrive. To do so, users do not need to be admin or have elevated privileges.

Version Tricks

According to the researchers, if a ransomware group stole a user’s identity and obtained access to one or more SharePoint Online or OneDrive accounts. They could drop the file versioning limit to a low number “such as 1.”

Compromise of Microsoft cloud accounts is the only need for encrypting SharePoint and OneDrive files, which can be accomplished simply through phishing or malicious OAuth applications. Attackers can exploit Microsoft APIs and PowerShell scripts to execute harmful activities on big document collections after gaining access to an account. Limit the version numbering and encrypt any files above that threshold to finish the file locking step and make recovery more difficult.

This action does not involve administrator credentials and may be completed from any account that has been compromised. An attacker could, for example, restrict the number of file versions to “1” and encrypt the contents twice.

Document List Versioning
Document list versioning setting (Microsoft)

When a file version limit of “1” is set up, the original document is no longer available via OneDrive and cannot be recovered if the attacker encrypts or modifies it again. According to a Microsoft spokesperson, the approach needs a user to have recently been fully exploited by an attacker.

Furthermore, the spokesperson said:

We advise our clients to use safe computing practises, such as being careful when clicking on links to webpages, opening suspicious file attachments, or allowing file transfers.

Another way is to use automated programmes to edit files 502 times, which is more than the 500-version restriction in OneDrive. While this method is “noisier” and may cause some warnings, but it is still a viable alternative.

Now the document encryption in Microsoft cloud is complete. Malicious actors can demand a ransom from the victim in return for the data unlocking. It is also possible and may be useful to take papers before encrypting them. This will put greater pressure on the target under the danger of revealing the data.

Reasonable transparency

Microsoft admits that the version numbering setting might be exploited, but the company believes that this is ana intentional feature. Microsoft stated that, in the event of unexpected data loss, such as the attack scenario described above, support agents can help with data recovery for up to 14 days after attack. However, researchers claim that they tried and failed to recover files using that approach.

In the face of such attacks, cloud storage is typically believed to be more secure. While cloud storage is more dependable and secure than local storage, the study warns that it is vulnerable to security risks.

The following are the recommended security practises for organisations that may be attacked by cloud attacks:

  • Two Factor Authentication (2FA) should be enabled, and a code will be sent to a third party to verify the login.
  • It is recommended to back up your data on a regular basis to ensure data security.
  • Adding quickly increase of fixable versions to the Incident Response (IR) list.
  • Scanning the web for dangerous OAuth applications and removing access tokens.

Has your organisation started to increase cyber security measures yet? Start your two-week free trial today.

Recent posts