Proofpoint: ‘Potentially Dangerous’ Flaw Could Allow Ransomware Attacks On Microsoft SharePoint, OneDrive

A Proofpoint team of researchers says their findings show ‘ransomware actors can now target organizations’ data in the cloud and launch attacks on cloud infrastructure.’

A “potentially dangerous” flaw has been found in Microsoft Office 365 that could allow cyberattackers to ransom files stored on Sharepoint and OneDrive, two widely used enterprise cloud apps, according to researchers at Proofpoint.

The Proofpoint researchers revealed their findings Thursday morning in a blog post and concluded that cloud data may be more vulnerable to ransomware assaults than previously believed.

“Ransomware attacks have traditionally targeted data across endpoints or network drives,” wrote the Proofpoint researchers. “Until now, IT and security teams felt that cloud drives would be more resilient to ransomware attacks. … [But] Proofpoint has discovered a potentially dangerous piece of functionality in Office 365 or Microsoft 365 that allows ransomware to encrypt files stored on SharePoint and OneDrive in a way that makes them unrecoverable without dedicated backups or a decryption key from the attacker.”

The researchers—Or Safran, David Krispin, Assaf Friedman and Saikrishna Chavali—said their findings show that “ransomware actors can now target organizations’ data in the cloud and launch attacks on cloud infrastructure.”

In a response to email questions from CRN, Proofpoint said in a statement that “as of now we have not seen this functionality exploited in the wild.”

Microsoft Says Functionality ‘Working As Intended’

Asked if Microsoft has been informed of the potential vulnerability found by Proofpoint, the company wrote: “Prior to this blog, Proofpoint followed Microsoft’s disclosure path and received the following response: The configuration functionality for versioning settings within lists is working as intended (and) older versions of files can be potentially recovered and restored for an additional 14 days with the assistance of Microsoft Support.”

In the statement to CRN, Proofpoint said it “attempted to retrieve and restore old versions following the (Microsoft) process but was not successful. However, even if the versioning settings configuration worked as intended, Proofpoint has shown that this functionality can be abused by attackers toward cloud ransomware aims.”

Proofpoint’s statement to CRN ended: “We’re confident in our research and stand by it.”

Microsoft could not be reached for comment.

Proofpoint Documented Each Step Of Potential Attack Chain

According to the Proofpoint blog post, researchers identified a potential attack chain and documented the steps ransomware attackers could theoretically use.

“Once executed, the attack encrypts the files in the compromised users’ accounts,” researchers wrote. “Just like with endpoint ransomware activity, those files can then only be retrieved with decryption keys.”

They added that attack actions can be “automated using Microsoft APIs, command line interface (CLI) scripts and PowerShell scripts.”

An attack would initially start when intruders “gain access to one or more users’ SharePoint Online or OneDrive accounts by compromising or hijacking users’ identities,” researchers wrote.

The attacker would then have access to any “file owned by the compromised user or controlled by the third-party OAuth application (which would include the user’s OneDrive account as well),” researchers said.

The next step entails reducing “versioning limit of files to a low number such as 1, to keep it easy. Encrypt the file more times than the versioning limit. With the example limit of 1, encrypt the file twice.”

The blog post then states: “Now all original (pre-attacker) versions of the files are lost, leaving only the encrypted versions of each file in the cloud account. At this point, the attacker can ask for a ransom from the organization.”

Microsoft Cloud Security Under Scrutiny

This isn’t the first time outside researchers have said they’ve discovered flaws in Microsoft’s cloud security.

Earlier this year, Wiz, as part of ongoing research into Microsoft cloud security, reported that its researcher found a vulnerability in the software giant’s Azure database that allowed access to other customers’ sensitive data, as reported by CRN.

Founded in 2002, Sunnyvale, Calif.-based Proofpoint has long been known as an email security powerhouse, but in recent years it has expanded its offerings to include cloud-based security products.

Last year, private equity giant Thoma Bravo took the publicly traded Proofpoint private in an acquisition deal valued at $12.3 billion.