During Black Hat USA in Las Vegas, a SafeBreach researcher revealed that Microsoft OneDrive is fairly easy to crack. In addition, some of the application’s prevention tools can be bypassed. It can even be abused to utilize some of those tools against the end user. Thus, a threat actor who has already compromised a system can tamper with files and delete them, despite -and partly because of- OneDrive’s safeguards.
Security researcher Or Yair of SafeBreach described that the ransomware landscape has only gotten rougher. In March 2023, there was a record number of incidents on this front: 459. It further indicates that organizations must have endpoint security high on their minds as well as other forms of protection. EDR tools should protect local data to prevent data from being encrypted, deleted or exfiltrated. Microsoft’s own software also tries to secure data, but the reality proves otherwise.
Yair claims OneDrive is a “built-in double agent” because its ransomware prevention tools can in fact be deployed as ransomware. It can encrypt data without an EDR intervening; some EDR solutions even allowed malicious code during SafeBreach’s investigations. OneDrive is both a local application and a cloud storage location that syncs files in both places. Its processes are “trusted” by security applications.
Simple account hijacking
Hijacking the OneDrive directory is easy once a hacker has compromised a system. OneDrive’s extensive data logging allows an attacker to steal a session token, and then access OneDrive files from another system. It is then also relatively easy to get out of this directory on a local system.
Microsoft’s application protects backups from ransomware by default, but it can be bypassed because of a vulnerability in the Android version. Yair explains that the API for that OS differs from its Windows-based counterpart, which allowed him to find out where the “shadow copies” of files were located. This would let an attacker first delete a file on OneDrive locally and then encrypt the backups. Thus, the victim ends up with only the encrypted files.
Action already taken by Microsoft, but problem lies deeper
Microsoft has already implemented a fix, Yair said. Furthermore, CrowdStrike, Cybereason and Palo Alto have patched their EDR solutions. As a result, users currently don’t have to do anything except go through the usual security steps.
Therein, by the way, lies the final message at Yair for security parties: trust as few applications as possible. Even Microsoft’s own processes can evidently pose dangers, even if it was assumed to include comprehensive ransomware prevention tools. Zero-trust thus turns out to be yet another broad concept that applies to all layers of the IT infrastructure.