A vulnerability in Microsoft Office 365 could be used to launch ransomware attacks on data housed in the company’s cloud services, security researchers say. The flaw in the autosave system could be used to hijack files stored on SharePoint and OneDrive, and lead to possible attacks on cloud infrastructure.
Security vendor Proofpoint says its team has found a straightforward route to encrypting files and launching ransomware once a cybercriminal has gained access into the victim’s system. This makes it possible to “encrypt files stored on SharePoint and OneDrive in a way that makes them unrecoverable without dedicated back-ups or a decryption key from the attacker,” a new report from Proofpoint says.
The hacker can then continue the attack using a combination of Microsoft APIs, Powershell scripts and command-line interface (CLI) scripts, the report continues.
Proofpoint says it has informed Microsoft of this dangerous functionality, but that it remains open to abuse.
How the Microsoft Office 365 vulnerability works
The nature of the autosave feature in Microsoft 365 and Office 365 allows cybercriminals the ability to manipulate the number of file versions stored on OneDrive or Sharepoint Online, Proofpoint says.
They are able to limit the number of file variations stored, and if there is no more allotted space for back-ups they will not be saved, and the criminal will be free to encrypt the files that remain. “All the original versions of the files are lost, leaving only the encrypted versions of each file in the cloud account,” the report says. “At this point, the attacker can ask for a ransom from the organisation.”
Ransomware attacks on cloud systems are becoming more common. Research from security company Netwrix found that targeted attacks on cloud infrastructure were reported by 16% of respondents in 2020, a figure which grew to 29% in 2022. Moreover, 53% of respondents suffered a cyberattack on the cloud in the past 12 months, with the most common type of breach being phishing incidents.
Cloud systems are widely seen as more secure than their on-premises counterparts, with public cloud providers such as Microsoft Azure, Amazon AWS and Google Cloud investing millions of pounds in security systems. “Current ransomware attacks are mainly focused on local networks and endpoints and not the cloud," says Barak Hadad, head of research at security company Armis. "but since organisations are moving their business logic to the cloud, we expect an increase of ransomware attacks against cloud storage systems."
IT professionals polled by Netwrix are aware of this growing threat, and see external hackers as the biggest threat to their cloud deployments:
Who is responsible for cloud security?
As attacks in the cloud become more common, the debate over whose responsibility it is to ensure the safety of the data stored there has intensified.
“Even the biggest cloud providers with extensive resources at their disposal to secure their environment are still vulnerable to creative attackers innovating new ways to get in," says Justin Fier, VP of tactical risk and response at security company Darktrace. "The cybercriminals and black hat hackers that we encounter in our industry are agile, and they pivot quickly to try and exploit every new innovation where they might be able to extract value."
Businesses cannot afford to assume that their data is safe in the cloud, says Avishai Avivi, CISO at SafeBreach. “The idiom ‘there’s no such thing as the cloud, it’s just someone else’s computer’ is accurate,” he says. “The data owner must recognise their role and responsibility in such advanced protections."
Businesses must back-up their data to really protect sensitive information from falling into the wrong hands, Fier adds. “Companies must back-up their data and store copies off-site, or in the case of the cloud, they should store it on a different cloud instance, or where possible, a different cloud environment altogether."