Proofpoint identifies Microsoft 365's capabilities, which help you navigate new cloud-based attackvectors

Proofpoint identifies Microsoft 365's capabilities, which help you navigate new cloud-based attackve ...

The exploit is run on a four-step attack chain that starts with a specific user''s identity being compromised. The malicious actor uses the individual''s credentials to access a user''s SharePoint or OneDrive accounts, modify versioning settings, and then encrypts the files multiple times, leaving no unencrypted version of the compromised files.

Utilizing the vulnerability may be hampered by brute force or phishing attacks, improper authorization via OAuth applications or hijacked user sessions. Once compromised, any action to combat it may be scripted to run automatically through application program interfaces (APIs), Windows PowerShell, or through the command line interface.

The use of versioning tools in SharePoint and OneDrive helps to set a historical record for each file, logging any document changes, and the user(s) who made those changes. Users with appropriate permissions can then view, delete, or even restore previous versions of the document. This means that any site owner or user can access the application''s version settings.

This elimination of the number of document versions retained is crucial. The malicious actor creates the versioning settings to keep the desired number of versions per file. The files are then encrypted more times than the number of versions retained, leaving no recovered backed up versions.

The master copy and the single retained version should be encrypted at this point, depending on the appropriate decryption key.

The developer may leave a copy of the original document and make a number of changes to the document that exceeds the number of versions being maintained. For example, if the versioning is set to retain the previous 200 copies, the actor may make 201 changes. This would ensure that the master copy in SharePoint or OneDrive and all retained backups have been altered while holding the original copy for ransom.

Proofpoint''s blog has compiled several recommendations to help protect you and your organization from any type of attack. Some of these recommendations, according to Proofpoint''s extensive cybersecurity offerings, focus on early detection of high-risk configurations and behaviors, enhanced access management, and ensuring adequate backup and recovery policies are implemented.

Proofpoint has created an image credit for the Ransomware attack.

You may also like: