Ransomware could target OneDrive and SharePoint files by abusing versioning configurations

Researchers warn that documents hosted in the cloud might not be out of reach for ransomware actors and that while they’re harder to permanently encrypt due to the automated backup features of cloud service, there are still ways to make life hard for organizations.

Researchers from Proofpoint have devised a proof-of-concept attack scenario that involves abusing the document versioning settings in Microsoft’s OneDrive and SharePoint Online services that are part of Office 365 and Microsoft 365 cloud offerings. Furthermore, since these services provide access to most of their features through APIs, potential attacks can be automated using ​​command-line interface and PowerShell scripts.

Reducing the number of document versions

The attack chain described by Proofpoint starts with hackers compromising one or more SharePoint Online or OneDrive accounts. This can be done in a variety of ways including phishing, infecting the user’s machine with malware then hijacking their authenticated sessions, or tricking users into giving a third-party application access to their account via OAuth.

Regardless of the method, this would give the attackers access to all the documents owned by the compromised user. In SharePoint this is called a document library and is basically a list that can hold multiple documents and their metadata.

One feature of documents in both OneDrive and SharePoint is file versioning, which is used by the autosave function whenever an edit is made. By default, documents can have up to 500 versions, but this setting is configurable, for example to just one.

“​​Every document library in SharePoint Online and OneDrive has a user-configurable setting for the number of saved versions, which the site owner can change, regardless of their other roles,” the Proofpoint researchers explain. “They don’t need to hold an administrator role or associated privileges. The versioning settings are under list settings for each document library.”

Copyright © 2022 IDG Communications, Inc.

News Credit

%d bloggers like this: