Microsoft OneDrive’s Security Vulnerability Exposed at Black Hat Conference

Reading Time: ( Word Count: )

August 11, 2023
Nextdoorsec-course

At the recent Black Hat event, new findings unveiled potential security loopholes within Microsoft OneDrive that could endanger business data.

Or Yair, a security expert from SafeBreach, highlighted how malicious individuals might exploit the cloud storage tool to launch ransomware attacks. The crux of the matter is the OneDrive app, which is installed by default on Windows devices. To users, this app mirrors a typical folder, easily accessible via the file explorer. Additionally, it seamlessly syncs the content within this ‘folder’ to its cloud counterpart.

A notable point of vulnerability lies in the app’s directory. It amasses all user logs in one place. Yair, during his demonstration, retrieved session tokens from these logs. With these tokens, he was able to create junctions that accessed files beyond the confines of OneDrive’s directory – essentially accessing local files on the target device.

Also, Read: Boston Teens Outsmart Subway Payment System

Taking the process a step further, Yair encrypted these files. Shockingly, even files backed up in OneDrive were obliterated due to a glitch in OneDrive’s Android version. The aftermath? Victims would find themselves stuck with backups that were merely encrypted versions of already encrypted files.

Another unsettling revelation was the apparent blind spot of many endpoint detection and response (EDR) tools. In this simulated attack, many tools failed to recognize the benign app’s deviant behavior. This was primarily because no new malicious code was introduced. Prominent names like CyberReason, Microsoft Defender for Endpoint, CrowdStrike Falcon, and Palo Alto Cortex XDR couldn’t detect this activity. Interestingly, SentinelOne did detect the anomaly but couldn’t halt it as OneDrive was whitelisted.

In response to these alarming discoveries, Microsoft has rolled out a corrective patch. The EDR providers mentioned earlier have also updated their systems accordingly.

However, there’s a silver lining. To execute such an attack, hackers would need prior access to the targeted device. The best protective measure is straightforward: ensure your devices remain free from malware.

Noor Khan

Noor Khan

Author

My name is Noor, and I am a seasoned entrepreneur focused on the area of artificial intelligence. As a robotics and cyber security researcher, I love to share my knowledge with the community around me.

Other interesting articles

Automated vs Manual Penetration Testing

Automated vs Manual Penetration Testing

Pentesting is largely divided into two methodologies: Automated vs Manual Penetration Testing. Both have ...
8 Steps in Penetration Testing You Should Know

8 Steps in Penetration Testing You Should Know

Mastering the art of penetration testing has become a critical ability for security experts to combat cyber ...
Spear Phishing vs Whaling: What is the Difference

Spear Phishing vs Whaling: What is the Difference

Spear phishing is a particularly devious type of phishing assault in which the individual targeted plays a ...
How Often Should Penetration Testing Be Done

How Often Should Penetration Testing Be Done

Penetration testing is a crucial technique that involves simulating a cyberattack on networks, computer systems, ...
0 Comments

Submit a Comment

Your email address will not be published. Required fields are marked *