A trick was discovered with file versioning and the Auto Save function that can leave Microsoft files stored in SharePoint and OneDrive vulnerable to attack, allowing ransomware to encrypt the files. But first, let's explain what file versioning does.
When working on a document in the cloud, you may have noticed you often don't have to save your work manually. This is because cloud apps have AutoSave turned on and will save versions of your file as you work. If needed, a user can revert to an older file version. This is called file versioning. The number of versions saved by default depends on the cloud provider.
Microsoft 365 allows any account, admin, or regular user, to change the number of default versions to be saved. If an attacker compromises an account, they can reduce the number of versions.
This is important because if a file is edited or encrypted one more time than the reduced number, the original data is unrecoverable.
According to Practical365, “The attack technique is to create sufficient new versions of files to exceed the versioning limit set for the document library. Each round of encryption creates a new version of the target file, and eventually only encrypted versions of files exist in the document library because SharePoint Online clears out the non-encrypted versions after the number of changes exceed the versioning limit. For SharePoint Online document libraries (including OneDrive for Business, the versioning limit ranges between 100 and 50,000.” citation
Another way to achieve the same task is to use automated scripts to edit a file 501 times, one more than the default 500 limit. However, this method often sets off alarms as it's more invasive.
Please note that this attack technique requires that the attacker gain access to a user’s account to make these changes. There isn’t anything inherently wrong with Microsoft 365 or Google Workspace.
When asked about the problem, Microsoft said there was nothing to be done because file versioning was working as intended. Other cloud providers, including Google Workspace, have similar features as AutoSave and file versioning and are just as vulnerable.
Unfortunately, there are other risks when using a public cloud as well. Public cloud is a model where the servers and other resources are shared by multiple companies. This leaves the potential for a breach from one organization to spread to another.
Most people and business leaders are not aware that public cloud organizations, including Microsoft and Amazon, have a shared responsibility model. From Microsoft:
For all cloud deployment types, you own your data and identities. You are responsible for protecting the security of your data and identities, on-premises resources, and the cloud components you control (which varies by service type).
Regardless of the type of deployment, the following responsibilities are always retained by you:
To protect your company and data consider the following: