Microsoft OneDrive, one of the services cloud backup more popular because it comes standard in Windows; could pose a serious threat to the security of a company. In his presentation at the recent Black Hat conference, SafeBreach expert Or Yair showed how threat actors could leverage the cloud storage platform for a ransomware attack.
The problem seems to be that OneDrive you have an app that installs on Windows devices in the form of a folder. Users can access it locally through the file explorer, just like any other folder. The app also automatically syncs all the files stored in that folder with their corresponding cloud copy.
OneDrive doesn't seem to have good security, especially for businesses
The app too stores all user records in a single directory. These records contain session tokens that a cracker can extract from OneDrive directories and thereby create junctions that lead to areas outside of the OneDrive directory itself. This provides access to files stored locally on the destination endpoint.
From there, all it took to wrap up the attack was to encrypt the files. Even the ones stored on OneDrive, which acts as a shadow backup, were wiped out. It is due to a bug found in the OneDrive Android app. Once the application has finished, all the victim has are encrypted backup copies of the encrypted files. A way to suffer a ransomware and not be able to recover the data.
Most endpoint detection and response tools could not detect the malicious app. And since there was no malicious code added anywhere, they couldn't flag it as ransomware or malware either. CyberReason, Microsoft Defender for Endpoint, CrowdStrike Falcon, and Palo Alto Cortex XDR failed the test. The SentinelOne program detected the attack. but it didn't stop it because OneDrive was added to its allow list.
To fix the problem, Microsoft has already released a patch, and all of the aforementioned cybersecurity companies have patched their EDRs. But to carry out the attack, the author of the threat you need to have access to the target device in advance. This is that if the computer is not infected, there would be no problems, but when a malicious agent gains access, it can carry out the attack.
Source: TechRadar
