Server room with red OneDrive logo covered in chains, to represent locked files
June 22, 2022
Cyber Security

Ransomware Encryption on Cloud Storage Service OneDrive

The Cloud is believed to be the safer alternative to malware and ransomware. With backup tools and auto-save features, there seem always to be multiple versions of the files you’re working on. It appears that this can easily change once an attacker gains access to your account, from a discovery by proofpoint.

 

How does Microsoft SharePoint and OneDrive deal with AutoSave?

How these autosave features work is simple, changes are saved into “Version.” This comes in handy, when you come to a document that is missing information or is damaged, simply view the version history to return to a previous AutoSave. When it comes to these versions, your files aren’t as safe as you may think. It’s easy to manipulate and change the version amount to simply 1 version of the file. As seen here, it’s relatively easy to change how many versions of your files there are.

 

How Does This Attack Work?

Once the attacker gains access to SharePoint Online andOneDrive user accounts they could go down the path of adjusting versioning settings.Once these settings are changed, they can start encrypting files, and because they’re changing the settings from, for example, 500 revisions for a file to a singular version, it’s easier to start locking files discretely.

"Versioning Limit Attack Visualized", next to an image of two locked files going down to through the versions "Multiple versions to encrypt takes; time, resources, and risk of detection". Below is one locked file, next to that it says "version settings changed, to minimum for most damage at fastest rate by attacker."

How can an account become compromised?

-       Via user credentials, this can be any direct way, weak passwords, brute-force attacks, phishing, and other credential compromising tactics.

-       Third-party OAuth applications, by tricking users to authenticate a third-party application that’s not legitimate could give access to the attacker.

-       Hijacked sessions, this could happen by taking over the sessions that’s logged-in through the web or by hijacking anAPI token from SharePoint or OneDrive

 

What should you be doing to protect your organization from attacks like this?

Great question, there’s easy to follow steps that help make sure you’re taking proper precautions most of which you’re probably already following. These tips are good to follow even if you’re not using OneDrive orSharePoint, simply to just keep yourself and your organization safe from attackers.

 

MAINTAIN A STRONG PASSWORD POLICY that way everyone at your organization is following best practices and keeping secure documents safe from common attacks due to weak passwords.

 

ENABLE MULTI-FACTOR AUTHENTICATION wherever possible, an added layer of security will help stop an attacker that managed to crack a password.

 

PLAN YOUR DISASTER RECOVERY AND BACKUP SOLUTION to ensure that in the case your files are damaged or compromised, you have a plan to minimize risk and minimize delay to your return to normal.

 

REVIEW LINKED ACCOUNTS so you can remove or adjust privileges to apps you trust and ensure you’re minimizing the risk of compromised accounts connected to third-party services.

 

To learn more about this discovery visit proofpoint, where you’ll find a lot more details on how they found out about this and whatMicrosoft is doing to solve this problem.

 

MORE CYBER NEWS

Phone with Google Chrome's welcome page settings

Google patches major zero-day vulnerability flaw

July 5, 2022

A zero-day vulnerability has been patched by Google, and should be reaching you shortly.

Cyber Security
Phone laying on black red surface showing Google Chrome logo on screen

Google and iFixit partnership officially live

July 5, 2022

An announcement that was made a few months ago joining iFixit and Google together to sell OEM parts on iFixit's online store is finally live.

Mobile Devices
Man in front of laptop holding his glasses and clutching bridge of nose in frustration

Home office hacks to improve your working from home experience!

July 1, 2022

Working from home has taken the world by storm, and not exactly by choice. Here are a few tips and items that can help improve your work from home experience, as we know that not everyone has the system completely nailed down.

Misc.