The Cloud is believed to be the safer alternative to malware and ransomware. With backup tools and auto-save features, there seem always to be multiple versions of the files you’re working on. It appears that this can easily change once an attacker gains access to your account, from a discovery by proofpoint.
How does Microsoft SharePoint and OneDrive deal with AutoSave?
How these autosave features work is simple, changes are saved into “Version.” This comes in handy, when you come to a document that is missing information or is damaged, simply view the version history to return to a previous AutoSave. When it comes to these versions, your files aren’t as safe as you may think. It’s easy to manipulate and change the version amount to simply 1 version of the file. As seen here, it’s relatively easy to change how many versions of your files there are.
How Does This Attack Work?
Once the attacker gains access to SharePoint Online andOneDrive user accounts they could go down the path of adjusting versioning settings.Once these settings are changed, they can start encrypting files, and because they’re changing the settings from, for example, 500 revisions for a file to a singular version, it’s easier to start locking files discretely.
How can an account become compromised?
- Via user credentials, this can be any direct way, weak passwords, brute-force attacks, phishing, and other credential compromising tactics.
- Third-party OAuth applications, by tricking users to authenticate a third-party application that’s not legitimate could give access to the attacker.
- Hijacked sessions, this could happen by taking over the sessions that’s logged-in through the web or by hijacking anAPI token from SharePoint or OneDrive
What should you be doing to protect your organization from attacks like this?
Great question, there’s easy to follow steps that help make sure you’re taking proper precautions most of which you’re probably already following. These tips are good to follow even if you’re not using OneDrive orSharePoint, simply to just keep yourself and your organization safe from attackers.
MAINTAIN A STRONG PASSWORD POLICY that way everyone at your organization is following best practices and keeping secure documents safe from common attacks due to weak passwords.
ENABLE MULTI-FACTOR AUTHENTICATION wherever possible, an added layer of security will help stop an attacker that managed to crack a password.
PLAN YOUR DISASTER RECOVERY AND BACKUP SOLUTION to ensure that in the case your files are damaged or compromised, you have a plan to minimize risk and minimize delay to your return to normal.
REVIEW LINKED ACCOUNTS so you can remove or adjust privileges to apps you trust and ensure you’re minimizing the risk of compromised accounts connected to third-party services.
To learn more about this discovery visit proofpoint, where you’ll find a lot more details on how they found out about this and whatMicrosoft is doing to solve this problem.
