Microsoft 365 (Google Workspace) Feature May Increase Risk of Data Loss and Ransomware

Updated 09/27/2022

Cybersecurity

Microsoft 365 (Google Workspace) Feature May Increase Risk of Data Loss and Ransomware

A trick was discovered with file versioning and the Auto Save function that can leave Microsoft files stored in SharePoint and OneDrive vulnerable to attack, allowing ransomware to encrypt the files. But first, let's explain what file versioning does.

When working on a document in the cloud, you may have noticed you often don't have to save your work manually. This is because cloud apps have AutoSave turned on and will save versions of your file as you work. If needed, a user can revert to an older file version. This is called file versioning. The number of versions saved by default depends on the cloud provider.

Microsoft 365 allows any account, admin, or regular user, to change the number of default versions to be saved. If an attacker compromises an account, they can reduce the number of versions.

This is important because if a file is edited or encrypted one more time than the reduced number, the original data is unrecoverable.

According to Practical365, “The attack technique is to create sufficient new versions of files to exceed the versioning limit set for the document library. Each round of encryption creates a new version of the target file, and eventually only encrypted versions of files exist in the document library because SharePoint Online clears out the non-encrypted versions after the number of changes exceed the versioning limit. For SharePoint Online document libraries (including OneDrive for Business, the versioning limit ranges between 100 and 50,000.” citation

Another way to achieve the same task is to use automated scripts to edit a file 501 times, one more than the default 500 limit. However, this method often sets off alarms as it's more invasive.

Please note that this attack technique requires that the attacker gain access to a user’s account to make these changes. There isn’t anything inherently wrong with Microsoft 365 or Google Workspace.

When asked about the problem, Microsoft said there was nothing to be done because file versioning was working as intended. Other cloud providers, including Google Workspace, have similar features as AutoSave and file versioning and are just as vulnerable.

Other Risks in the Cloud

Unfortunately, there are other risks when using a public cloud as well. Public cloud is a model where the servers and other resources are shared by multiple companies. This leaves the potential for a breach from one organization to spread to another.

Most people and business leaders are not aware that public cloud organizations, including Microsoft and Amazon, have a shared responsibility model. From Microsoft:

For all cloud deployment types, you own your data and identities. You are responsible for protecting the security of your data and identities, on-premises resources, and the cloud components you control (which varies by service type).

Regardless of the type of deployment, the following responsibilities are always retained by you:

  • Data
  • Endpoints
  • Account
  • Access management

(citation)

What You Can Do

To protect your company and data consider the following:

  1. Enable Multi-Factor Authentication: While not infallible, MFA is a good way to thwart attackers who may try and gain access to a user’s account. Unless an attacker has access to the device.
  2. Security Awareness Training: A comprehensive training program that includes live training, phishing simulations, and incorporates your organization’s Information Security Policies.
  3. Written and implemented Information Security Policies and Standards (ISPS): A well-written ISPS will help to create a culture of security awareness by providing everyone with a framework on remote work policies, acceptable use policies, data handling, and more.
  4. Having managed third-party SaaS (Software as a Service) protection in place. Managed SaaS Backup can help protect against malware (such as Ransomware) and prevent permanent data loss. Our solution can help mitigate this issues of file-versioning outlined in this article. To learn more, download our information sheet here for information on our Managed SaaS protection for Microsoft 365 and Google Workspace.

References:

  1. https://www.bleepingcomputer.com/news/security/microsoft-office-365-feature-can-help-cloud-ransomware-attacks/
  2. https://www.cubebackup.com/docs/tutorials/revert-google-drive-folder-to-previous-version/#:~:text=Limitations,for%20up%20to%2030%20days.
  3. https://www.cloudwards.net/top-ten-major-risks-associated-with-cloud-storage/
  4. https://digitalguardian.com/blog/6-security-risks-enterprises-using-cloud-storage-and-file-sharing-apps