Proofpoint identifies Microsoft 365 functionality that opens up new cloud attack vectors

Why is it important: Cybersecurity company Proofpoint recently published data on vulnerabilities related to two popular enterprise cloud applications, SharePoint Online and OneDrive. The firm’s findings explained how attackers can use the underlying functionality of applications to encrypt and store user files and data in order to obtain ransom. The vulnerability provides another way for hackers to attack cloud data and infrastructure.

use is based on a four-stage chain of attacks that begins with the compromise of the identity of a particular user. An attacker uses a person’s credentials to access SharePoint or One disc accounts, change versioning settings, and then encrypts files multiple times without leaving unencrypted versions of compromised files. Once encrypted, files can only be accessed using the correct decryption keys.

User accounts can be compromised through brute-force or phishing attacks, improper authorization through third-party OAuth applications, or user session hijacking. Once compromised, any action to exploit a vulnerability can be programmed to be automatically triggered via application program interfaces (API), Windows PowerShellor through the command line interface (CLI).

Versions is a feature in SharePoint and OneDrive that creates a historical record for each file, logging any changes to the document and the users who made those changes. Users with the appropriate permissions can then view, delete, or even restore earlier versions of the document. The number of versions to keep is determined by the versioning settings in the application. Version settings do not require admin-level permissions and can be accessed by any site owner or user with the appropriate permissions.

The key to this exploit is changing the number of document versions to keep. The attacker tweaks versioning settings to maintain the desired number of versions for each file. The files are then encrypted more times than the number of versions saved, leaving no backups that can be restored.

For example, setting the document version to one and then encrypting the file twice will result in the master copy and the only saved version being encrypted. At this point, the ransomed files must be decrypted using the appropriate decryption key, otherwise they will remain unrecovered.

Encryption is not the only way to use version control settings. A hacker can save a copy of the original document and then proceed to make a number of changes to the document that exceed the number of versions stored. For example, if versioning is set to keep the latest 200 copies, an actor can make 201 changes. This ensures that the master copy in SharePoint or OneDrive and any saved backups are modified and the original copy is held for ransom.

Proofpoint Blog contains several recommendations to help protect you and your organization from this type of attack. These recommendations, some of which are based on the Proofpoint package cyber security productsfocus on early detection of high-risk configurations and behaviors, improved access control, and ensuring that sufficient backup and recovery policies are in place.

Image credit: Ransomware attack process from Proof

Source link

Leave a Reply

Your email address will not be published. Required fields are marked *

Back to top button