A detailed PoC exploitation by security vendor Proofpoint shows that OneDrive and SharePoint files can be targeted by attacks including ransomware by abusing version configurations.
Security researchers warn that documents hosted in the cloud may not be reached by ransomware actors. Although they are more difficult to permanently encrypt because of the cloud service’s automated backup features, there are still ways to make life harder for businesses. The Proofpoint teams designed a PoC exploit that consists in abusing document versioning settings in Microsoft’s OneDrive and SharePoint Online services that are part of the Office 365 and Microsoft 365 cloud offerings. the latter provides access to most of their functionality via APIs, potentially being able to automate attacks using command line interfaces and PowerShell scripts.
The chain of attacks described by Proofpoint begins with hackers compromising one or more SharePoint Online or OneDrive accounts. This can be done in many ways, including phishing, infecting a user’s machine with malware and then hijacking their authenticated sessions, or tricking users into giving a third-party application access to their account via OAuth. Either way will give attackers access to all documents owned by the compromised user. In SharePoint, this is called a document library, which is basically a list that can contain multiple documents and their metadata. One of the features of documents in OneDrive and SharePoint is file versioning, which the autosave feature uses whenever a change is made. By default, documents can have up to 500 versions, but this setting can be configured, for example in just one.
Two possible methods of attack
“Each document library in SharePoint Online and OneDrive has a user-configurable setting for the number of saved versions, which the site owner can change, regardless of their other roles,” explanation by Proofpoint researchers. . “They do not have to have a stewardship or related privileges. Version settings can be found under the Settings list for each document library.
This opens up two modes of attack. One is for the attacker to make 501 changes and encrypt the file after each change. This way, all 500 previously stored versions will be overwritten by encrypted versions of the document. The problem with this technique is that it requires a lot of time and resources, because the encryption operation has to be repeated several times. The second, faster way is to change the version setting to 1, then just make two changes and encrypt the file after each. This will delete all previously saved versions, at least those directly accessible by the user or the organization of which they are part.
A limited attack vector
One of the limitations of this attack lies in the documents stored on a terminal end of the network and synchronized in the cloud. If the attacker also does not have access to the endpoint, the file can be restored from the user’s local copy. Another potential limitation is recovery through Microsoft Support. According to Proofpoint, the company contacted Microsoft to report this abuse scenario, and the publisher said its customer support staff could return versions of the file as early as 14 days. It likely relies on an automated backup service system that is not directly accessible by users or organizations. However, Proofpoint researchers say they tried to restore older versions of the documents through Microsoft Support and it didn’t succeed.
The company advises organizations to track file configuration changes in their Office 365 account. Changes to release management settings are uncommon and should be considered as suspicious practice. Implementing strong password and multi-factor authentication policies, checking third-party apps with OAuth access to accounts, and having an external backup policy in place covering cloud files is also important. strong recommendation.