Connect with us

Tech

Office 365 loophole may give ransomware an easy shot at your files

Published

on

Office 365 loophole may give ransomware an easy shot at your files

Researchers at Proofpoint have discovered potentially dangerous Microsoft Office 365 functionality that they believe may give ransomware a clear shot at files stored on SharePoint and OneDrive

Alex Scroxton

By

Published: 16 Jun 2022 10: 00

A team of Proofpoint researchers say they have discovered potentially dangerous standard functionality in Microsoft Office 365 that could allow ransomware to encrypt files stored in SharePoint and OneDrive in such a way that they become completely unrecoverable without dedicated backups or a decryption key.

The team – Or Safran, David Krispin, Assaf Friedman and Saikrishna Chavali – wanted to look at two of the more widely used enterprise cloud apps within the Microsoft 365 and Office 365 suites to demonstrate that ransomware operators can now target data held in the cloud, and launch attacks on cloud infrastructure.

“Ransomware attacks have traditionally targeted data across endpoints or network drives,” they said in a disclosure blog published today. “Until now, IT and security teams felt that cloud drives would be more resilient to ransomware attacks.

“After all, the now-familiar ‘AutoSave’ feature, along with versioning and the good old recycle bin for files, should have been sufficient as backups. However, that may not be the case for much longer.”

The possible attack chain works as follows – note that it can be automated using Microsoft APIs, command line interface (CLI) scripts and PowerShell scripts.

First, attackers need to gain access to one or more user’s SharePoint Online or OneDrive accounts by compromising or hijacking their identities.

They then have access to any file owned by the compromised user or controlled by the third-party OAuth application – this would include user’s OneDrive account.

The third step is to reduce the versioning limit of files to a low number (such as one) and encrypt the file more times than the versioning limit (say twice, to keep it simple). This step would be unique to cloud ransomware compared to the attack chain for an endpoint-based version. Note that at this point, an attacker could also exfiltrate the unencrypted files to leak or sell on in a double extortion hit.

Finally, now that all original versions of the files are lost, leaving only the encrypted versions of each file in the cloud account, the attacker can demand a ransom.

The third step in the chain is what would make this type of attack viable, and it hinges on functionality unique to Microsoft environments, said Proofpoint.

It works like this, the team explained: every document library contained within SharePoint Online or OneDrive will have a user-configurable setting for the number or saved versions, which the owner can change regardless of their other roles, ie they don’t need admin rights. This setting can be found within the versioning settings under list settings in each library.

By design, if the user reduces the library version limit, any further changes made to the files contained within result in older versions becoming very hard to restore.

There are two ways to abuse this maliciously, either by making too many versions of a file or reducing the version limits.

In the first instance, because most OneDrive accounts have a default version limit of 500, someone could edit files 501 times, so that the original version is 501 versions old and therefore no longer restorable. They could then encrypt the 500 restorable versions.

But this is quite complex and requires more time, scripting and machine resources, and is probably easier for defenders to spot, so Proofpoint’s team suggests the second tactic is more likely.

So, if they reduce the library versioning number to one, only the most recent version of the file before the last edit is saved and restorable. Therefore, by editing the file twice, either encrypting it twice or making changes to its content or metadata then encrypting it, an attacker can ensure an organisation is unable to restore the original version without the decryption key.

Incidentally, setting the version limit to zero would be a red herring and won’t delete the versions, which will be available to the user by resetting the limit – or they could try turning it off and on again.

Fortunately, said Proofpoint, standard best-practice recommendations for regular ransomware protection will also apply. Defenders should make sure that detection of file configuration changes for Office 365 accounts is switched on if their security tooling allows for it, because although users can accidentally change their versioning settings, it is not very common behaviour to do so, so sudden changes would probably indicate something is up.

Other mitigations, such as prioritising so-called Very Attacked People, shoring up access management, updating disaster recovery and backup practice, implementing cloud security and threat intelligence, and implementing data loss prevention technology, will also be effective.

Defenders may also wish to add the following actions to their response and investigation, in case risky configuration change detectors are triggered:

  • Increase restorable versions for affected libraries.
  • Identify any previous account compromises or risky configuration changes for the affected account.
  • Hunt down any suspicious third-party app activity and revoke OAuth tokens if found.
  • Find out if the user had ever before behaved out of policy – such as taking risky OAuth app actions, being negligent with sensitive data, and so on.

The team disclosed the issues to Microsoft via its responsible disclosure path, but said Microsoft’s response was that configuration functionality for versioning settings within lists is “working as intended”.

Microsoft added that older versions of files can be “potentially” recovered and restored for an additional 14 days through Microsoft Support.

The team said: “Proofpoint attempted to retrieve and restore old versions through this process (ie, with Microsoft Support) and was not successful. Secondly, even if the versioning settings configuration workflow is as intended, Proofpoint has shown that it can be abused by attackers towards cloud ransomware aims.”





Read more on Hackers and cybercrime prevention

Read More

Continue Reading
Click to comment

Leave a Reply

Your email address will not be published.

Tech

FIFA 23 lets you turn off commentary pointing out how bad you are

Published

on

By

FIFA 23 lets you turn off commentary pointing out how bad you are
A player shouldering the ball



(Image credit: EA)

FIFA 23 might be the best game soccer game yet for terrible sports fans, as it lets you turn off commentary that criticizes your bad playing.

Now that the early access FIFA 23 release time has passed, EA Play and Xbox Game Pass Ultimate subscribers can hop into the game ahead of its full release. But as Eurogamer (opens in new tab) spotted, they’ll find a peculiar option waiting for them.

FIFA 23 includes a toggle to turn off ‘Critical Commentary’. The setting lets you silence all negative in-match comments made about your technique, so you can protect your precious ego even when you miss an open goal or commit an obvious foul. The more positive commentary won’t be affected. 

Spare your feelings

A player dribbling the ball in FIFA 23

(Image credit: EA)

The feature looks tailored toward children and new players, who don’t want to have their confidence wrecked within mere minutes of picking up the controller. But even experienced players who just so happen to be terrible at the game might benefit.

It’s not perfect, though. According to Eurogamer, the feature didn’t seem to work during a FIFA Ultimate Team Division Rivals match, with critical comments slipping through the filter. Still, who hasn’t benefited from a light grilling every now and then?

Polite commentary isn’t the only new addition in FIFA 23. It’s the first game in the series to include women’s club football teams, and fancy overhauled animations that take advantage of the PS5 and Xbox Series X|S’s new-gen hardware. EA will be hoping to end on a high, as FIFA 23 will be the last of its soccer games to release with the official FIFA licence.

If disabling critical commentary doesn’t improve your soccer skills, maybe building a squad of Marvel superheroes will. Although you might not do much better with Ted Lasso wandering the pitch.

FIFA 23 is set to fully release this Friday, September 30.

Callum is TechRadar Gaming’s News Writer. You’ll find him whipping up stories about all the latest happenings in the gaming world, as well as penning the odd feature and review. Before coming to TechRadar, he wrote freelance for various sites, including Clash, The Telegraph, and Gamesindustry.biz, and worked as a Staff Writer at Wargamer. Strategy games and RPGs are his bread and butter, but he’ll eat anything that spins a captivating narrative. He also loves tabletop games, and will happily chew your ear off about TTRPGs and board games. 

Read More

Continue Reading

Tech

Google Pixel 7 price leak suggests Google is totally out of touch

Published

on

By

Google Pixel 7 price leak suggests Google is totally out of touch
The backs of the Pixel 7 and the Pixel 7 Pro



(Image credit: Google)

We’re starting to hear more and more Google Pixel 7 leaks, with the launch of the phone just a week away, but tech fans might be getting a lot of déjà vu, with the leaks all listing near-identical specs to what we heard about the Pixel 6 a year ago.

It sounds like the new phones – a successor to the Pixel 6 Pro is also expected – could be very similar to their 2021 predecessors. And a new price leak has suggested that the phones’ costs could be the same too, as a Twitter user spotted the Pixel 7 briefly listed on Amazon (before being promptly taken down, of course).

Google pixel 7 on Amazon US. $599.99.It is still showing up in search cache but the listing gives an error if you click on it. We have the B0 number to keep track of though!#teampixel pic.twitter.com/w5Z09D28YESeptember 27, 2022

See more

According to these listings, the Pixel 7 will cost $599 while the Pixel 7 Pro will cost $899, both of which are identical to the Pixel 6 and Pixel 6 Pro starting prices. The leak doesn’t include any other region prices, but in the UK the current models cost £599 and £849, while in Australia they went for AU$999 and AU$1,299.

So it sounds like Google is planning on retaining the same prices for its new phones as it sold the old ones for, a move which doesn’t make much sense.


Analysis: same price, new world

Google’s choice to keep the same price points is a little curious when you consider that the specs leaks suggest these phones are virtually unchanged from their predecessors. You’re buying year-old tech for the same price as before.

Do bear in mind that the price of tech generally lowers over time, so you can readily pick up a cheaper Pixel 6 or 6 Pro right now, and after the launch of the new ones, the older models will very likely get even cheaper.

But there’s another key factor to consider in the price: $599 might be the same number in 2022 as it was in 2021, but with the changing global climate, like wars and flailing currencies and cost of living crises, it’s a very different amount of money.

Some people just won’t be willing to shell out the amount this year, that they may have been able to last year. But this speaks to a wider issue in consumer tech.

Google isn’t the only tech company to completely neglect the challenging global climate when pricing its gadgets: Samsung is still releasing super-pricey folding phones, and the iPhone 14 is, for some incomprehensible reason, even pricier than the iPhone 13 in some regions. 

Too few brands are actually catering to the tough economic times many are facing right now, with companies increasing the price of their premium offerings to counter rising costs, instead of just designing more affordable alternatives to flagships.

These high and rising prices suggest that companies are totally out of touch with their buyers, and don’t understand the economic hardship troubling many.

We’ll have to reach a breaking point sooner or later, either with brands finally clueing into the fact that they need to release cheaper phones, or with customers voting with their wallets by sticking to second-hand or refurbished devices. But until then, you can buy the best cheap phones to show that cost is important to you.

Tom’s role in the TechRadar team is to specialize in phones and tablets, but he also takes on other tech like electric scooters, smartwatches, fitness, mobile gaming and more. He is based in London, UK.

He graduated in American Literature and Creative Writing from the University of East Anglia. Prior to working in TechRadar freelanced in tech, gaming and entertainment, and also spent many years working as a mixologist. Outside of TechRadar he works in film as a screenwriter, director and producer.

Read More

Continue Reading

Tech

DisplayMate awards the “Best Smartphone Display” title to the iPhone 14 Pro Max

Published

on

By

DisplayMate awards the “Best Smartphone Display” title to the iPhone 14 Pro Max

, , , , , ,

search relation.

, , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , ,

 

Read More

Continue Reading

Trending

Copyright © 2022 Xanatan