back to article Microsoft OneDrive a willing and eager 'ransomware double agent'

There's a rather serious ransomware vulnerability in Microsoft's desktop operating system, according to research out this week. It's nigh undetectable, uses a fully legitimate workflow to encrypt files, and comes pre-installed on all new Windows systems: OneDrive. As per the findings presented by SafeBreach security researcher …

  1. MatthewSt

    Relatively easy...

    ... once he managed to achieve an initial compromise of a Windows machine

    So in order to get OneDrive to do all of these things to a user's files, you have to already have had access to those files yourself? Sounds like a massive security hole.

    Granted they shouldn't be storing tokens in logs, but if you're in a position to read those logs the user has already lost.

    1. sarusa Silver badge
      FAIL

      Re: Relatively easy...

      You only need need to get /user/ access, not admin access. So basically you just need to get the user to run an executable, or have Outlook do it with all its security holes, or all the usual ways you get an executable run on the target machine. Then the executable just has to create junctions, which can be done with plain old user access. Then OneDrive will happily encrypt all the files, and since it's running as administrator it can get to (almost) everything. And corporate anti-intrusion software, which is supposed to spot and stop this kind of specific suspicious behavior, will just go 'Oh it's OneDrive, must be legit'. Then you use the android OneDrive app (with the keys you grabbed from OneDrive's logs) to delete the original files so all that's left are the encrypted ones. OneDrive does /all/ your dirty work for you.

      So yes, this is a quite a security hole. It only needs user permissions, bypasses nearly all EDR, and OneDrive comes pre-installed on all Windows machines (and keeps coming back like cancer ever if you remove it).

      1. MatthewSt

        Re: Relatively easy...

        Apart from OneDrive doesn't run as admin. He's talking about using OneDrive to overwrite the users own files that they are not storing in OneDrive.

        And why are we fine saying that the EDR trusts OneDrive but overlooking those tools when we have to "just" get the user to run an executable?

        1. Doctor Syntax Silver badge

          Re: Relatively easy...

          There seems to be a long history of "just" getting users to run executables. All you have to do is email them kittenpic.jpg.exe or invoice.pdf.exe. You might might not do so but others will.

          1. John Brown (no body) Silver badge

            Re: Relatively easy...

            ...and MS STILL hide file extensions by default on a fresh install and users still don't suspect something might be wrong when one file emailed to them DOES show an extension. Admittedly, having kittenpic.jpg.exe show up with an extension when they don't normally, but still an innocuous looking kittenpic.jpg is probably easy for most to overlook, whereas if ALL extensions were shown by default, I suspect many more might notice the unusual "double" extension of kittenpic.jpg.exe

      2. sarusa Silver badge

        Re: Relatively easy...

        * hand waving, sorry, the sort options per thread are persistent, which is generally cool, but made it look like the initial post had disappeared, but now I've figured it out *

    2. Roland6 Silver badge

      Re: Relatively easy...

      Looks like you only need a webpage to access the Onedrive log files and grab a session token and then create a junction to your malware folder…

  2. Anonymous Coward
    Anonymous Coward

    Shared file access is a reality of modern work

    Plus the issue here is that it evades protections, and can be forced out of it's intended sand box by an attacker, who can then delete the last line of defense Onedrive provides, the shadow copies.

    The access tokens in the logs are the other huge bozo no-no, your dead on on that one. But this was worth looking at because leveraging a _blindly_ trusted process allowed the attacker to hide their exfiltration and destruction of the victims data from systems indented to block such attacks.

    Not only did M$ screw the pooch, the anti-ransomware companies showed their ass once again.

  3. Pascal Monett Silver badge
    Trollface

    "Since there's no actual malware installed on the target machine"

    Wait, there's Windows, isn't there ?

    Of course malware vendors aren't going to detect OneDrive shenanigans. It's Borkzilla software, it can't go wrong !

    1. Version 1.0 Silver badge

      Re: "Since there's no actual malware installed on the target machine"

      We need to make a big change - setup a legal and efficient environment where all Malware vendors, and anyone processing Malware vendors money, are jailed for 30 years, these days in a jail with no AC.

  4. Mike Pellatt

    This is why relying on OneDrive for your ransomware protection is madness.

    Keep the backups well, well away from the Microsoft ecosystem.

  5. Adam JC

    S1 / Zero Trust

    "Unfortunately, it still didn't stop shadow copies from being deleted because the local OneDrive executable is on an allow list."

    I'm not sure how S1 works, but with ThreatLocker even if an EXE is approved, it is still 'Ringfenced' in what it can read/write to. I just checked our policy definitions for OneDrive.exe and it's only allowed to access *:\Users\%username%\OneDrive\* but nothing outside that folder. I'd be surprised if S1 didnt have similar features, so could have been stopped if the S1 environment was configured correctly - Just a thought.

    Secondary thought - It requires initial exploit anyway, so would hopefully be stopped by the EDR at point of entry. Having said that, Zero-days are a thing so anything is possible.

  6. FirstTangoInParis Bronze badge

    MacOS changes

    Not sure if this was the driver, but MacOS had a big change recently on how access is controlled in at least OneDrive and Dropbox and likely similar apps. They used to be allocated simple folders, but now are in a special folder to which the user has no direct access.

    See https://tidbits.com/2023/03/10/apples-file-provider-forces-mac-cloud-storage-changes/

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like