Tag Archives: OneDrive

Think Before You Sync. Why just moving to the cloud does not solve the ransomware threat.

27 July 2019

On May 7th, 2019 the city of Baltimore was hit by a ransomware attack.  Although the city hired Microsoft and five other firms it has not fully recovered from the attack yet.(1)

Since the city’s email system was down officials started to use Gmail accounts for communications.(1)(2) This makes sense in the case of an emergency. Not communicating in the case of a publicly visible cyber-attack commonly has a large financial impact on businesses; but in the case of cities this may result in the loss of public security.

The ransomware attack on Norsk Hydro on March 19th, 2019 impressively shows the effect of good communications(3)(4): Investor’s confidence was not endangered at any time, the share price remained unchanged.

But from a strategic point of view, just moving to the whatever cloud is not a good idea. Google’s idea behind ChromeOS was simply clever: If everything (applications and data) is stored in the cloud the impact of e.g. ransomware will be negligible because the malware cannot jump across the https barrier to your cloud storage. The same holds for O365.

Unfortunately, users are not used of this way of working in the browser. It’s often slow, requires a change in working habits, travelling requires extra preparation, etc. So, Microsoft invented OneDrive and Google came up with Sync for Windows. Similar tools are available for Box and DropBox, and for all desktop operating systems, even for Linux.

Linux Setup Online Accounts

Linux setup online accounts during first login

With these syncing tools, the data stored in the cloud is made available on the user’s desktop. Changes to local files are synchronized immediately to the cloud and vice versa. And with this, the ransomware problem still exists because if a ransomware encrypts the synchronized files on the local copy the change is immediately synchronized to the cloud.
Game over.

So, if you want to take advantage of the cloud you have to run a vast change project: The whole working environment with all forms, templates, etc. must be provided in the cloud. And the employees must get used of the new way of working.

We need change!

We need change!

But the effort pays off: Your network becomes more resilient against cyber-attacks, workstations can be easily exchanged, the endpoint complexity can be reduced, windows domains and in the end, the campus network, will become dispensable.

So, think before you sync!

Have a great weekend.


  1. Duncan I. Google Pitches to Baltimore after Ransomware Attacks [Internet]. Government Technology. 2019 [zitiert 27. Juli 2019]. Verfügbar unter: https://www.govtech.com/computing/Google-Pitches-to-Baltimore-after-Ransomware-Attacks.html
  2. Cyber-spies tight-lipped on Baltimore hack. BBC News [Internet]. 27. Mai 2019 [zitiert 27. Juli 2019]; Verfügbar unter: https://www.bbc.com/news/technology-48423954
  3. Norsk Hydro. Update: Hydro subject to cyber attack [Internet]. 2019 [zitiert 24. Mai 2019]. Verfügbar unter: https://www.hydro.com/de-DE/medien/news/2019/update-hydro-subject-to-cyber-attack/
  4. Norsk Hydro ASA. Norsk Hydro: Update: Hydro subject to cyber-attack – 19.03.19 – News – ARIVA.DE [Internet]. de. 2019 [zitiert 24. Mai 2019]. Verfügbar unter: https://www.ariva.de/news/norsk-hydro-update-hydro-subject-to-cyber-attack-7476743
Advertisements

Bypassing protection measures by direct upload of malicious content to OneDrive/Office 365

9 August 2015

I am happy about every email with malicious content or attachment, in particular if I find the mail in my inbox. Sound’s strange, but it’s important to analyze the technology of the attackers to develop proper protection strategies.

Last Wednesday I spent an hour with the analysis of an obviously malicious email attachment. Outlook blocked the access to the attachment without any error message. Therefore I logged in to my outlook.com account and opened the email:

Malicious Mail in Outlook.com

Malicious Mail in Outlook.com

A click on Download as zip resulted in the following error message:

The file “Automatische Lastschrift konnte nicht vorgenommen werden 05.08.2015.zip” is infected with an unknown virus, so it isn’t safe to download.

Perfect! This explains the strange behavior of Outlook. But saving to OneDrive surprisingly works.

Malicious Mail Save to OneDrive

Malicious Mail Save to OneDrive

Some minutes later I uploaded the zip archive to VirusTotal and found, that the malware was already known with name Trojan:Win32/Bulta!rfn. For more details please see below.

When I extracted the nested zip-archive to my local hard disk the endpoint protection system correctly identified the program, blocked access and took the predefined action.

What happened? The attackers used a standard technology (malware in nested zip archives) to deliver their payload. The outlook client and outlook.com both blocked downloading the payload because they identified a suspicious attachment.

But all protection could be bypassed by uploading the file to OneDrive. When OneDrive or Office 365 is used as collaboration platform with suppliers and partners an attacker could easily use bypass to distribute malicious content across companies. In particular for zero day exploits this may become a serious problem.

For protection against the download of malicious content from Cloud Services we have to change our endpoint protection strategy. The anti-malware systems on the surf proxy will not recognize the malicious objects because the data stream is encrypted (https protocol used). Even if the surf proxy breaks SSL it is very likely that zero day exploits, and already known viruses, are not identified. The same holds for the endpoint protection systems on the end-users desktops.

But the first line of defense, the cloud provider, has the most important task. Bypassing protection by uploading malicious objects to the cloud storage is not acceptable. This strange behavior should be corrected as soon as possible. From the above we know that this is an easy task because the system already identified the attachment as malware.

Have a good week!


VirusTotal results: 2015-08-06 20:21:06 UTC

Detection rate: 23 / 55

AntiVirus Result Last Update
Avast Win32:Malware-gen 20150806
Microsoft Trojan:Win32/Bulta!rfn 20150806
Ikarus Trojan.Win32.Crypt 20150806
Arcabit Trojan.Mikey.D538C 20150806
DrWeb Trojan.Inject1.62743 20150806
TrendMicro TROJ_KR.2B7B2BF7 20150806
TrendMicro-HouseCall TROJ_KR.2B7B2BF7 20150806
Avira TR/Crypt.Xpack.248161 20150806
Rising PE:Trojan.Win32.Generic.18EBC66C!418104940 20150731
Sophos Mal/Generic-S 20150806
AVG Generic_r.FOY 20150806
Panda Generic Suspicious 20150806
Emsisoft Gen:Variant.Mikey.21388 (B) 20150806
Ad-Aware Gen:Variant.Mikey.21388 20150806
BitDefender Gen:Variant.Mikey.21388 20150806
F-Secure Gen:Variant.Mikey.21388 20150806
GData Gen:Variant.Mikey.21388 20150806
MicroWorld-eScan Gen:Variant.Mikey.21388 20150806
McAfee-GW-Edition BehavesLike.Ransom.lc 20150806
Kaspersky Backdoor.Win32.Androm.humu 20150806
Symantec Backdoor.Matsnu 20150806
McAfee Artemis!B65DB4920F67 20150806
ESET-NOD32 a variant of Win32/Kryptik.DSND 20150806
ALYac 20150806
AVware 20150806
AegisLab 20150806
Agnitum 20150806
AhnLab-V3 20150806
Alibaba 20150803
Antiy-AVL 20150806
Baidu-International 20150806
Bkav 20150806
ByteHero 20150806
CAT-QuickHeal 20150806
ClamAV 20150806
Comodo 20150806
Cyren 20150806
F-Prot 20150806
Fortinet 20150804
Jiangmin 20150804
K7AntiVirus 20150806
K7GW 20150806
Kingsoft 20150806
Malwarebytes 20150806
NANO-Antivirus 20150806
Qihoo-360 20150806
SUPERAntiSpyware 20150806
Tencent 20150806
TheHacker 20150805
VBA32 20150806
VIPRE 20150806
ViRobot 20150806
Zillya 20150806
Zoner 20150806
nProtect 20150806