Microsoft’s SharePoint and OneDrive have been identified with a flaw that allows ransomware actors to encrypt files stored in the cloud applications that its users would not be able to recover without backups or obtaining decryptors from the hackers.
In this attack, the threat operators could leverage the two applications’ “versioning” feature that enables users to create and save several versions of document libraries, even if they do not have elevated permissions.
The ransomware operators could impersonate a user to gain access to the cloud applications, reducing the file versioning limit to at least “1.” This procedure would allow the threat actors to encrypt files more than the set versioning limit. Since the old versions of the files have been deleted, leaving the encrypted ones, the attackers could begin the ransom requests from the victimised organisation.
The reduced versioning limit of the cloud applications would make it difficult for users to recover the lost files, adding that threat actors could encrypt the remaining files as much as they want.
After encrypting the files, organisations would be left with no other choice but to acquire the decryption keys from the ransomware attackers unless they have prepared backup files outside of the cloud applications.
There are three different ways that the ransomware gangs could infiltrate the two cloud applications. One is that a staff’s user account was compromised through phishing. Secondly, the attackers could perform brute force on an organisation’s servers to be able to intrude on them. Lastly, they could trick users into permitting third-party OAuth applications with app scopes for SharePoint or OneDrive access.
Experts are also seeing the chances of threat groups hijacking a web session of an active user to take over SharePoint or OneDrive’s live API token.
Since the attack technique requires the user to have been fully compromised, people are strongly advised to implement upgraded cybersecurity measures at all times. These measures include avoiding clicking suspicious links from emails or websites, opening attachments from unknown senders, or accepting file transfers from suspicious sources.
Nonetheless, Microsoft clarifies that older versions of deleted files could be recovered for an additional extension of 14 days as long as the affected victims would contact Microsoft Support for assistance.
Furthermore, users are advised to have external backups of their sensitive files outside of their organisation’s cloud storage apps to ensure that their data would be safe even if these instances occur.