Why it issues: Cybersecurity agency Proofpoint just lately launched vulnerability findings associated to 2 common enterprise cloud functions, SharePoint Online and OneDrive. The agency’s findings defined how unhealthy actors can leverage fundamental performance within the functions to encrypt and maintain a consumer’s recordsdata and knowledge for ransom. The vulnerability presents hackers with one other avenue to assault cloud-based knowledge and infrastructure.
The exploit depends on a four-step assault chain that begins with a particular consumer’s identification being compromised. The malicious actor makes use of the person’s credentials to entry a consumer’s SharePoint or OneDrive accounts, change versioning settings, after which encrypts the recordsdata a number of instances, leaving no unencrypted model of the compromised recordsdata. Once encrypted, the recordsdata can solely be accessed utilizing the proper decryption keys.
User accounts might be compromised by brute power or phishing assaults, improper authorization by way of third occasion OAuth apps, or hijacked consumer classes. Once compromised, any motion to use the vulnerability might be scripted to run routinely by way of software program interfaces (APIs), Windows PowerShell, or by way of the command line interface (CLI).
Versioning is a operate in SharePoint and OneDrive that creates a historic report for every file, logging any doc adjustments and the consumer(s) who made these adjustments. Users with acceptable permissions can then view, delete, and even restore earlier variations of the doc. The variety of variations saved is set by the versioning settings within the software. Version settings don’t require administrator-level permissions and might be accessed by any web site proprietor or consumer with correct permissions.
Changing the variety of doc variations retained is vital to this exploit. The malicious actor configures the versioning settings to maintain the specified variety of variations per file. The recordsdata are then encrypted extra instances than the variety of variations retained, leaving no recoverable backed up variations.
For instance, setting the doc versioning to at least one after which encrypting the file twice would end result within the grasp copy and single retained model each being encrypted. At this level the ransomed recordsdata should be decrypted utilizing the corresponding decryption key or stay unrecovered.
Encryption isn’t the one method the versioning setting might be exploited. The hacker could choose to make a copy of the unique doc after which proceed to make quite a lot of adjustments to the doc that exceeds the variety of variations being saved. For instance, if the versioning is ready to retain the final 200 copies, the actor could make 201 adjustments. This would be certain that the grasp copy in SharePoint or OneDrive and all retained backups have been altered whereas holding the unique copy for ransom.
Proofpoint’s weblog gives a number of suggestions to assist shield you and your group from this sort of assault. These suggestions, a few of which depend on Proofpoint’s suite of cybersecurity merchandise, concentrate on early detection of high-risk configurations and behaviors, enhanced entry administration, and making certain adequate backup and restoration insurance policies are in place.
Image credit score: Ransomware assault course of from Proofpoint