Cyber researchers have discovered a proof-of-concept showing that file configuration settings in certain enterprise cloud apps are potentially exploitable by hackers

Cybersecurity researchers have discovered a potentially dangerous configuration function in Office/Microsoft 365 that allows ransomware to encrypt files stored on SharePoint and OneDrive in a way that makes them unrecoverable without dedicated backups or a decryption key from the attacker, showing that ransomware actors can now target organizations’ data in the cloud and launch attacks on cloud infrastructure. 

Ransomware attacks have traditionally targeted data across endpoints or network drives, and cloud drives were thought to be more resilient to ransomware attacks. However, that may not be the case any longer.

The rapid adoption of cloud collaboration tools has led to threat actors to target public cloud infrastructures via ‘cloud account compromise’. The attack chain, according to Proofpoint researchers, goes like this: 

  1. Initial access: Attackers compromise or hijack users identities (via a live API token and other means) to gain access to one or more SharePoint Online or OneDrive accounts
  2. Account takeover and discovery: Attackers now have access to any file in the compromised account, including those controlled by the third-party OAuth application, which would also include the user’s OneDrive account.
  3. Collection & exfiltration: The functionality being exploited is the cloud platform’s versioning mechanism. After encrypting a file, attackers change the versioning limit of files to a low number such as 1, to prevent further access by the original account holder unless a decryption key is paid for (via a ransom payment).

This step is unique to cloud ransomware compared to that in endpoint-based ransomware. In some cases, attackers may exfiltrate the unencrypted files as part of a double extortion tactic

  • Ransomization: With only encrypted versions of each file in the cloud account left, it is time for attackers to demand a ransom

Despite resistance from Microsoft Support about the workability of this exploit, Proofpoint have shown that such file versioning functionalities in cloud platforms can be exploited.