In a sequence that suggests cloud services may be more vulnerable than many think, Proofpoint researchers have demonstrated how hackers could take over Microsoft 365 accounts to ransom files stored on SharePoint and OneDrive.
Proofpoint researchers ourlined how hackers could collect and exfiltrate critical data in the following diagram:
The diagram shows the whole attack chain from initial access to compromise and ultimately monetization. Perhaps not a lot new there, but the researchers highlighted how the situation could become critical in the context of Microsoft cloud-based infrastructures.
Many IT and security teams think that cloud drives should be more resilient to ransomware attacks, but that’s not the case. Most operations can be automated using APIs, command lines and PowerShell scripts in Microsoft environments. Hackers could take advantage of the version and list settings to affect all files within a document library on a SharePoint site or OneDrive account.
A successful attack on these files and services would have significant impact such as locking critical data for a huge number of collaborators.
How Hackers Could Leverage the Version Number
The first steps in the cloud ransomware attack chain may involve classic techniques such as phishing, spear phishing, or brute force to compromise accounts and steal credentials. Hackers could also trick users into authorizing rogue third-party apps to access the scope for SharePoint or OneDrive.
Then the attackers could discover files owned by compromised accounts within 365. Proofpoint explained that the attackers could abuse the “AutoSave” feature.
This functionality relies on “the old recycle bin” and creates cloud backups of older file versions when users make edits, which might be convenient in the short-term for many users but is not sufficient for proper backups. If this is the only saved data you have, a ransomware attack would make it unrecoverable.
Microsoft stores various data such calendars, photos, and other documents in lists. A SharePoint list is basically a table that contains rows for data and columns for metadata. SharePoint calendars are SharePoint lists. Document libraries used in SharePoint or OneDrive are special lists where you can upload, create, update, and share documents.
The list has specific settings, which includes versioning settings. You can limit the document library version, making the oldest versions almost impossible to restore. It’s one of the vectors hackers might use to maximize the damage. For example, if you set the limit to 1, only the last version is available for recovery.
There’s another technique that consists of creating too many versions of the same files to abuse the default limit of 500 versions in OneDrive, but researchers concluded it’s unlikely, as it would require lots of machine resources and scripting.
Microsoft’s Reaction Surprises Researchers
Microsoft responded that such an abuse is not an actual exploit, as it’s the intention of the functionality. The company added that support can help with recovery up to 14 days after a data loss.
However, Proofpoint reported that the procedure failed during their tests. The researchers added that even if the configuration does not differ from the original intention, it’s still prone to abuses that can maximize cloud ransomware attacks.
The research suggests that the cloud isn’t as safe as many have hoped, even when the service is powered by a tech giant like Microsoft. The term “cloud” is a marketing slogan that ultimately just describes a means of delivering IT like any other. In the end, the cloud still uses servers, protocols and features that hackers will likely attempt to compromise.
It’s not the first time that Microsoft’s approach to cybersecurity has been questioned, and as the largest software and IT vendor, the company leads in exploited vulnerabilities.
OneDrive, SharePoint, and similar services are attractive targets for threat actors, so companies need to have their own security and backups in place.
Also read: Top 12 Cloud Security Best Practices
How to Protect Against Microsoft 365 Risk
Researchers recommend hybrid approaches such as cloud sync folders to mitigate the risks, as even if hackers compromise the cloud, they cannot access local and endpoint files.
Of course, all the classic security hygiene around ransomware is also recommended, which may include the following:
- Offline backups (at least one version)
- Efficient and tested recovery procedures
- Regular audits and pentests
- Cybersecurity awareness and training
- Hardening configurations (e.g., MFA, disabling hyperlinks in emails)
- Revoking unnecessary or unverified third-party apps
Companies should prepare for post-exploitation after initial access and compromise, as there’s no bulletproof cloud-based infrastructure that will magically save the day.
It’s also a matter of vision and decisions. No one wants potentially constraining and time-consuming procedures, so some might object to security measures such as additional authentication and other policies. While the purpose of cybersecurity is certainly not to jam the business, convenience should not prevail over safety.
Read next: Top Cloud Security Companies & Tools
Get the Free Cybersecurity Newsletter
Strengthen your organization’s IT security defenses by keeping up to date on the latest cybersecurity news, solutions, and best practices.