At the recent Black Hat event, new findings unveiled potential security loopholes within Microsoft OneDrive that could endanger business data.
Or Yair, a security expert from SafeBreach, highlighted how malicious individuals might exploit the cloud storage tool to launch ransomware attacks. The crux of the matter is the OneDrive app, which is installed by default on Windows devices. To users, this app mirrors a typical folder, easily accessible via the file explorer. Additionally, it seamlessly syncs the content within this ‘folder’ to its cloud counterpart.
A notable point of vulnerability lies in the app’s directory. It amasses all user logs in one place. Yair, during his demonstration, retrieved session tokens from these logs. With these tokens, he was able to create junctions that accessed files beyond the confines of OneDrive’s directory – essentially accessing local files on the target device.
Also, Read: Boston Teens Outsmart Subway Payment System
Taking the process a step further, Yair encrypted these files. Shockingly, even files backed up in OneDrive were obliterated due to a glitch in OneDrive’s Android version. The aftermath? Victims would find themselves stuck with backups that were merely encrypted versions of already encrypted files.
Another unsettling revelation was the apparent blind spot of many endpoint detection and response (EDR) tools. In this simulated attack, many tools failed to recognize the benign app’s deviant behavior. This was primarily because no new malicious code was introduced. Prominent names like CyberReason, Microsoft Defender for Endpoint, CrowdStrike Falcon, and Palo Alto Cortex XDR couldn’t detect this activity. Interestingly, SentinelOne did detect the anomaly but couldn’t halt it as OneDrive was whitelisted.
In response to these alarming discoveries, Microsoft has rolled out a corrective patch. The EDR providers mentioned earlier have also updated their systems accordingly.
However, there’s a silver lining. To execute such an attack, hackers would need prior access to the targeted device. The best protective measure is straightforward: ensure your devices remain free from malware.