The ransomware shows no sign of giving us respite and it seems that a new scenario of attack against Office365 is now possible, exploiting an architectural weakness of the system. The extremely recent discovery is the result of the work of Proofpoint researchers that was published in a report available online . The focus of the attack is the document versioning system which, after reaching an upper limit, causes the cancellation of older versions of the same . By inappropriately exploiting the versions of documents on SharePoint and OneDrive, it is possible to induce the deletion of the original documents and their encryption, effectively making the content of the cloud share unusable.
How the ransomware attack on Office365 works
The prerequisite for attackers is to have stolen user credentials, through one of multiple attack vectors , such as phishing. At this point, access to the cloud is guaranteed and the attackers can start the ransomware attack procedure. The weak link, as already mentioned, is the document versioning system. Assuming the upper limit is 1, this means that by editing the file 2 times, version 0 will be automatically deleted from the system. By adding, at this point, the encryption of the file and modifying it twice, the original will no longer be available to the user and the only accessible version would be the encrypted one.
The mechanism is even more critical because it is possible to change the number of versions saved in SharePoint and OneDrive without administrative privileges. Therefore, if with high values of this setting it could create a difficulty in the success of the attack, due to the high computational efforts necessary to exceed the threshold, on the other hand it is possible to decrease the upper limit with great ease.
The limitations of Office365 in ransomware prevention
This new attack mode shows an inherent weakness of the system that was instead declared ransomware-proof. Very often users, activating the Autosave functionality of Office documents, have the impression of keeping their documents on the cloud but in this case the functionality does not cancel the risk of a ransomware attack.
One possibility of reducing the risk, intended as an additional backup, could be the activation of the synchronization of folders rather than the functionality of Autosave. In this way, the file would be saved in duplicate both on the user's device and in the cloud and a possible attack on SharePoint or OneDrive could be mitigated by the version on the endpoint.
Microsoft's answer and solutions to protect the cloud
Microsoft commented on the news saying that it is still possible to recover files deleted by the versioning policy by contacting Microsoft Support within 14 days. However, the Proofpoint researchers highlighted that Microsoft's claim was not kept in a case documented by themselves , for which there was no way to access the removed files.
The possible countermeasures are naturally apt to intervene in the prerequisites of the attack. Some of these could be to improve password policy, enable multi-factor authentication, and keep a backup of data externally. Alongside these preventive measures, it is always possible to change the maximum versioning threshold, raising it in order to make the attack more difficult. Finally, Proofpoint suggests the adoption of Data Loss Prevention systems to identify potential data transfers to external destinations in time.
In conclusion, this latest report highlights a situation of constant change with the discovery of ever new vulnerabilities and unusual attack scenarios. Attention must always be high to try to minimize potential impacts on corporate and personal systems.