Cloud Hosting

There is a serious ransomware vulnerability in Microsofts desktop operating system, according to research presented at the Black Hat conference. The vulnerability is found in Microsofts cloud storage service, OneDrive, which is designed to sync and protect files. However, the researcher discovered that OneDrive can easily be turned against the systems it is meant to secure.

To exploit the vulnerability, the researcher first compromised a Windows machine to gain access to an account. They then discovered that OneDrive stores session tokens in log files, which can be extracted and used to gain control over the application. By creating junctions outside of OneDrives own directory, the researcher was able to manipulate, modify, and delete files on the local machine.

The researcher also found that the OneDrive app for Android has weaknesses that can be exploited. The apps API is different from other versions of OneDrive, which allowed the researcher to delete original copies of encrypted files, leaving the victim with only encrypted backups.

Endpoint detection and response (EDR) software should theoretically detect this type of activity, but according to the researcher, major enterprise vendors EDR software failed to identify the OneDrive vulnerability. Only SentinelOnes software was able to detect the threat and raise a flag about a possible ransomware attack.

Microsoft has released a fix for the vulnerability, and other vendors have patched their EDR software. However, the researcher emphasized that applications should not automatically trust processes like OneDrive by default and should implement measures to detect and stop potential attacks.

In conclusion, the Microsoft OneDrive vulnerability allows an attacker to encrypt files using a legitimate piece of software. Immediate action should be taken to address this vulnerability and improve security measures.

View post:
Microsoft OneDrive Vulnerability Allows Encryption of Files - Fagen wasanni