June 16 — According to security researchers, the functionality enables ransomware to encrypt files stored on Microsoft SharePoint and OneDrive.
‘Potentially dangerous’ flaw
Once the ransomware encrypts files stored on SharePoint and OneDrive, it does so in a way that renders them unrecoverable without reliance on backups or a decryption key provided by the attacker.
How the attack functions
SharePoint and OneDrive represent two of the most popular enterprise cloud applications. Upon execution, the attack encrypts files in the compromised users’ accounts. As with any ransomware deployment, files are only recoverable via backups or specialized decryption keys.
Actions can be automated with Microsoft APIs, command-line interface (CLI) scripts and PowerShell scripts, according to cyber security researchers.
1. Initial access. Hackers access one or more SharePoint Online or OneDrive accounts via compromised user identities.
2. Account takeover and discovery. At this point, the attacker can access any file owned by the compromised user or managed by the third-party OAuth application. This includes a user’s OneDrive account.
3. Collection and exfiltration. Hackers reduce the versioning limit of files for simplicity. Then, they encrypt the file more times than the versioning limit (twice). As compared with the attack chain for endpoint-based ransomware, this cloud-ransomware step is considered unique. In some instances, the hacker may exfiltrate unencrypted files as part of a double extortion scheme.
4. Monetization. Once the hacker has completed the previous steps, all original (pre-attacker) versions of the files have been rendered obsolete. This is where the attacker demands a ransom payment from an organization.
Modification of list settings in containers
Through this attack, hackers can modify list settings in containers within SharePoint and OneDrive. A list consists of a Microsoft web component that stores content like tasks, calendars, issues, photos, files…etc., within SharePoint Online. People primarily use such accounts to store documents. According to researchers, “document library” is the No.1 term associated with OneDrive.
A document library functions as a unique list type on a SharePoint site or OneDrive account. People can upload, create and collaborate on documents in this space.
Version settings for lists and document libraries are accessible via the ‘settings’ list. In the above list of steps that hackers would follow in order to execute this attack, hackers would modify the list settings during the collection and exfiltration step. This could affect all files within that specific document library.
Most common attack pathways
According to security researchers, the three most common avenues of attack involve gaining access to one or more users’ SharePoint online or OneDrive accounts via:
- Account compromise. This involves directly compromising users’ credentials to cloud accounts. Hackers achieve this via phishing, brute force and other credential compromise methodologies.
- Third-party OAuth applications. In this scenario, hackers trick a user to authorize third-party OAuth apps with application scopes for SharePoint or OneDrive permissions.
- Hijacked sessions. This means of access involves either hijacking the web session of a logged-in user or hijacking a live API token for SharePoint Online and/or OneDrive.
Securing Office 365
Improve security for O365 accounts in order to avoid this attack type. Means of doing so include advocating for security hygiene among employees, shoring up ransomware protections, updating disaster recovery plans and ensuring the existence and easy availability of data backups.
More detailed security recommendations can be found here. Lastly, to receive cutting-edge cyber security news, exclusive interviews, expert analyses and security resources, please sign up for the CyberTalk.org newsletter.