Cybersecurity Threat Advisory 0034-22: Microsoft Office 365 functionality exposes SharePoint and OneDrive data to ransomware attacks
Security researchers recently found an existing file version control functionality in Microsoft 365 and Office 365 enables threat actors to encrypt files stored with ransomware. The process used to encrypt these files can make them unrecoverable when proper backup is not used or without a decryption key from the threat actor.
Technical Detail & Additional Information
WHAT IS THE THREAT?
Files stored in SharePoint Online and OneDrive within the Microsoft 365 and Office 365 suites can be encrypted by threat actors by taking advantage of an existing Microsoft 365 functionality. Security researchers described an attack chain which explains the methods an attacker can take to encrypt these files within compromised users’ accounts. The first method is to gain initial access to one or more users’ SharePoint Online or OneDrive accounts through compromising or hijacking the users’ identities. The second method is using Account Takeover and Discovery in which attackers have access to all files contained within the compromised account. The third method is Collection and Exfiltration where it limits the versioning of files to a low number such as 1. With a number limit set to 1, the file would be encrypted twice. The fourth method is Monetization in which all the original file versions, prior to the attack, are
lost; leaving only the encrypted versions in the cloud account.
WHY IS IT NOTEWORTHY?
SharePoint Online and OneDrive are two of the most popular enterprise cloud apps used amongst many organizations. The attack chain described by researchers indicates that ransomware actors can easily target organizations’ data that is stored in the cloud and initiate attacks. If an attacker gains full access to one or more users’ SharePoint Online or OneDrive accounts, they can compromise the data stored on the accounts.
WHAT IS THE EXPOSURE OR RISK?
This only impacts Microsoft 365 SharePoint Online and OneDrive. Once an attacker gains full access to a compromised account, they can encrypt files and hold it for ransom. Any organization without a third-party backup can lose access to all of their data that was stored in these cloud accounts.
WHAT ARE THE RECOMMENDATIONS?
Barracuda MSP recommends the following:
- Identify high risk users who are receiving higher amounts of cloud, email, and web attacks
- Maintain a strong password policy with multi-factor authentication (MFA), as well as utilize a least-privileges, principles-based access policy across cloud apps
- Employ a third-party backup for cloud data reduce the risk of data loss. Microsoft recommends the use of third-party backup for the safety of your files
- Proactively monitor & remediate account compromises and third-party application abuse.
- Prevent sensitive data downloads and large-scale data downloads to unmanaged devices. This will prevent and reduce the potential for double extortion tactics in ransomware.
For more in-depth information about the recommendations, please visit the following links:
If you have any questions, please contact Barracuda Security Operations Center