Skip to main content

Microsoft Ransomware Targeting OneDrive and SharePoint Files By Abusing Versioning Configurations

thumbnail

19 JULY 2022

BACKGROUND

A proof-of-concept exploit could give hackers access to Office 365 or Microsoft 365 documents stored on OneDrive or SharePoint and make it inaccessible to the compromised user. It involves “file versioning” which is a feature in both OneDrive and SharePoint where a document is autosaved whenever an edit is made.

Documents can have to up to 500 versions by default and this setting is configurable.

As every document library in SharePoint and OneDrive has a user-configurable setting for the number of saved versions, there is no need to hold an administrator role or set privileges to make changes, which allows hackers to attack in two ways.

Firstly, hackers can perform 501 edits and encrypt the file after every change. All previous 500 stored versions will be overwritten with encrypted versions of the document.

The second method modifies the versioning setting to 1 and then make only two changes and encrypts the file after each one. This discards all previously saved versions that are accessible by the user or organization that they are part of.

 

IMPACT

  • Phishing and malware attacks
  • The user’s authenticated sessions will be hijacked into
  • Users may be tricked into giving a third-party application access to their account via OAuth

 

RECOMMENDATIONS

  • OrganizationsshouldmonitorfileconfigurationchangesintheirOffice365account.Any modifications to the versioning settings should be considered unusual and treated as suspicious behavior.

  • Implement strong password policies and make use of multi-factor authentication.

  • Review third-party applications with OAuth access to accounts

  • Have an external back-up policy that covers cloud files.

  • If you are affected by ransomware:

    1. Immediately stop OneDrive for Business Sync or disconnect the mapped drive to SharePoint library.

    2. Ask your Company Administrator (or affected user) to attempt to restore files:

      • SharePoint: See 'Restore a Document library'
        https://support.microsoft.com/en-us/office/restore-a-shared-library-317791c3-8bd0- 4dfd-8254-3ca90883d39a?ui=en-us&rs=en-us&ad=us
      • OneDrive: See 'Restore a OneDrive library' https://support.microsoft.com/en-us/office/restore-your-onedrive-fa231298-759d-41cf-bcd0-25ac53eb8a15?ui=en-us&rs=en-us&ad=us