{"id":449184,"date":"2022-06-17T10:27:54","date_gmt":"2022-06-17T08:27:54","guid":{"rendered":"https:\/\/mybroadband.co.za\/news\/?p=449184"},"modified":"2022-06-17T10:33:02","modified_gmt":"2022-06-17T08:33:02","slug":"ransomware-attackers-can-exploit-onedrive-feature-to-delete-backups","status":"publish","type":"post","link":"https:\/\/mybroadband.co.za\/news\/cloud-hosting\/449184-ransomware-attackers-can-exploit-onedrive-feature-to-delete-backups.html","title":{"rendered":"Ransomware attackers can exploit OneDrive feature to delete backups"},"content":{"rendered":"<p>Proofpoint security researchers have <strong><a href=\"https:\/\/www.proofpoint.com\/us\/blog\/cloud-security\/proofpoint-discovers-potentially-dangerous-microsoft-office-365-functionality\">discovered<\/a><\/strong> a way to exploit Microsoft cloud storage file version limits that could allow ransomware to encrypt OneDrive and SharePoint files and render them unrecoverable.<\/p>\n<p>Ransomware attacks involve attackers locking users out of their own files by encrypting them.<\/p>\n<p>The attackers then extort money from victims with the promise that they will provide the decryption keys.<\/p>\n<p>Proofpoint described the Microsoft 365 attack chain as follows.<\/p>\n<p>First, attackers must gain access to either SharePoint Online or OneDrive accounts.<\/p>\n<p>They can get user credentials via phishing or brute force attacks, tricking users via malicious third-party OAuth applications, or hijacking web sessions.<\/p>\n<p>After an attacker has taken over an account, they can reduce the versioning limit of files to a low number.<\/p>\n<p>To exploit the rules surrounding versioning limits, attackers encrypt the file more times than the limit to ensure the original file gets deleted.<\/p>\n<p>For example, if a malicious actor reduces a file&#8217;s versioning limit to one and then creates two encrypted versions, the original version will get deleted and cannot be restored.<\/p>\n<p>Malicious actors can automate the attack chain after compromising an account using a combination of Microsoft APIs, command-line interface scripts, and PowerShell scripts.<\/p>\n<div id=\"attachment_449186\" style=\"width: 841px\" class=\"wp-caption aligncenter\"><img loading=\"lazy\" decoding=\"async\" aria-describedby=\"caption-attachment-449186\" class=\"wp-image-449186 size-full\" src=\"https:\/\/mybroadband.co.za\/news\/wp-content\/uploads\/2022\/06\/Proofpoint-ransomware-attack-flow-chart.png\" alt=\"\" width=\"831\" height=\"533\" srcset=\"https:\/\/mybroadband.co.za\/news\/wp-content\/uploads\/2022\/06\/Proofpoint-ransomware-attack-flow-chart.png 831w, https:\/\/mybroadband.co.za\/news\/wp-content\/uploads\/2022\/06\/Proofpoint-ransomware-attack-flow-chart-600x385.png 600w, https:\/\/mybroadband.co.za\/news\/wp-content\/uploads\/2022\/06\/Proofpoint-ransomware-attack-flow-chart-800x513.png 800w, https:\/\/mybroadband.co.za\/news\/wp-content\/uploads\/2022\/06\/Proofpoint-ransomware-attack-flow-chart-768x493.png 768w\" sizes=\"(max-width: 831px) 100vw, 831px\" \/><p id=\"caption-attachment-449186\" class=\"wp-caption-text\">Proofpoint&#8217;s flowchart illustrating the ransomware attack chain process within Microsoft 365 cloud environments<\/p><\/div>\n<p>Microsoft told Proofpoint that older versions of files can still be recovered and restored within 14 days after an attack with Microsoft Support&#8217;s help.<\/p>\n<p>However, Proofpoint tested this after Microsoft said it was possible and determined recovering encrypted files this way doesn&#8217;t work.<\/p>\n<p>Proofpoint encouraged users to mitigate their risks of falling victim to ransomware attacks.<\/p>\n<p>These include using strong passwords, multi-factor authentication, and regular file backups to external storage.<\/p>\n<hr \/>\n<h3 class=\"my-4\">Now read: <a href=\"https:\/\/mybroadband.co.za\/news\/security\/449080-best-password-managers-to-avoid-getting-hacked.html\">Best password managers to avoid getting hacked<\/a><\/h3>\n","protected":false},"excerpt":{"rendered":"<p>Security researchers have discovered a way attackers could exploit Microsoft cloud storage functionality to execute ransomware attacks on OneDrive and SharePoint users.<\/p>\n","protected":false},"author":341094,"featured_media":449190,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[25,27],"tags":[2882,7047,23371,38324,30150,79124],"class_list":["post-449184","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-cloud-hosting","category-security","tag-cloud-storage","tag-microsoft-office-365","tag-onedrive","tag-proofpoint","tag-ransomware","tag-sharepoint-online"],"_links":{"self":[{"href":"https:\/\/mybroadband.co.za\/news\/wp-json\/wp\/v2\/posts\/449184"}],"collection":[{"href":"https:\/\/mybroadband.co.za\/news\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/mybroadband.co.za\/news\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/mybroadband.co.za\/news\/wp-json\/wp\/v2\/users\/341094"}],"replies":[{"embeddable":true,"href":"https:\/\/mybroadband.co.za\/news\/wp-json\/wp\/v2\/comments?post=449184"}],"version-history":[{"count":1,"href":"https:\/\/mybroadband.co.za\/news\/wp-json\/wp\/v2\/posts\/449184\/revisions"}],"predecessor-version":[{"id":449194,"href":"https:\/\/mybroadband.co.za\/news\/wp-json\/wp\/v2\/posts\/449184\/revisions\/449194"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/mybroadband.co.za\/news\/wp-json\/wp\/v2\/media\/449190"}],"wp:attachment":[{"href":"https:\/\/mybroadband.co.za\/news\/wp-json\/wp\/v2\/media?parent=449184"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/mybroadband.co.za\/news\/wp-json\/wp\/v2\/categories?post=449184"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/mybroadband.co.za\/news\/wp-json\/wp\/v2\/tags?post=449184"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}