Proofpoint’s IT security researchers stumbled across a feature in Microsoft’s 365 or Office 365, specifically in OneDrive and SharePoint, that makes it easier for attackers to encrypt data. Users and administrators often assume that such cloud storage is safe from this, since the data is backed up by version control.
In a blog post, the IT analysts write that ransomware attacks have so far mainly targeted end devices and network drives. This could change because attackers can reduce the number of versions kept on the cloud systems.
Attack scenario for SharePoint and OneDrive
The IT researchers describe the following attack scenario:
Gain initial access: Attackers must first gain access to one or more SharePoint Online or OneDrive accounts by compromising or hijacking user identities, such as through phishing.Account takeover and reconnaissance: Attackers now have access to any file belonging to the hijacked user account or can also be reached via OAuth-based third-party applications.Collection and exfiltration: The attackers reduce the number of versions to be kept to a low number, for example 1. Now they only have to encrypt the file twice, so that the victim does not have a usable backup in the cloud has more. This is where the ransomware attack differs from the previous endpoint-based version. Before encrypting, the cybercriminals could also copy the data in order to use a dual blackmail strategy if necessary. Monetization: Since all file versions before the attack are now lost and only the encrypted versions are available, the attackers can blackmail the organization for ransom.
A potential attack on lists and document libraries in SharePoint looks similar. Proofpoint writes that the company contacted Microsoft about this. Microsoft responded that the feature was working as intended and that potential victims could still use support to restore older file versions up to 14 days after an attack. Proofpoint tried this as an example, but this recovery attempt failed.
IT managers should therefore take into account in their IT security plans that the cloud systems from Microsoft, for example, do not include reliable data backup in case of doubt. You should otherwise include and consider the documents, lists and files stored there in the backup strategy.
To home page
#Microsofts #OneDrive #SharePoint #feature #facilitates #ransomware #infestation