Security firm Proofpoint has announced that it has uncovered a “potentially dangerous piece of functionality” in Microsoft Office 365.
According to Proofpoint, the activity allows ransomware to encrypt files stored on SharePoint and OneDrive in a way that renders them unrecoverable without dedicated backups or a decryption key from the attacker.
Once executed, the attack encrypts the files in the compromised users’ accounts and can only be recovered with decryption keys, which is similar to any endpoint ransomware activity.
Proofpoint said that these actions can be automated using Microsoft APIs, command-line interface (CLI) scripts and PowerShell scripts.
Initial Access: Gain access to one or more users’ SharePoint Online or OneDrive accounts by compromising or hijacking users’ identities.
Account Takeover & Discovery: The attacker now has access to any file owned by the compromised user or controlled by the third-party OAuth application (which would include the user’s OneDrive account as well).
Collection & Exfiltration: Reduce versioning limit of files to a low number such as 1, to keep it easy. Encrypt the file more times than the versioning limit, in this case twice. This step is unique to cloud ransomware compared to the attack chain for endpoint-based ransomware. In some cases, the attacker may exfiltrate the unencrypted files as part of a double extortion tactic.
Monetization: Now all original (pre-attacker) versions of the files are lost, leaving only the encrypted versions of each file in the cloud account. At this point, the attacker can ask for a ransom from the organization.
Proofpoint said the three most common paths that attackers would take to gain access to one or more users’ SharePoint Online or OneDrive accounts are -
Account compromise: Directly compromising the users’ credentials to their cloud account(s) through phishing, brute force attacks, and other credential compromise tactics
Third-party OAuth applications: Tricking a user to authorize third-party OAuth apps with application scopes for SharePoint or OneDrive access
Hijacked sessions: either hijacking the web session of a logged-in user or hijacking a live API token for SharePoint Online and/or OneDrive
However, as a precaution, Proofpoint recommends users take to shore up their Office 365 accounts. This includes improving security hygiene around ransomware and to update disaster recovery and data backup policies to reduce the losses in the event ransomware is discovered.
If risky configurations change detectors are triggered -
· Increase restorable versions for the affected document libraries in your Microsoft 365 or Office 365 settings immediately
· Identify if any previous account compromise or risky configuration change alerts for this Office 365 account
· Hunt for suspicious third-party app activity. If found, revoke OAuth tokens for malicious or unused third-party apps in the environment
· Identify if the user showcased previous out-of-policy behavior patterns across cloud, email, web, and endpoint (negligence with sensitive data, risky data manipulation, and risky OAuth app actions.)
See What’s Next in Tech With the Fast Forward Newsletter
Tweets From @varindiamag
Nothing to see here - yet
When they Tweet, their Tweets will show up here.