Researchers have found two strategies that might allow attackers to bypass audit logs or generate much less extreme entries when downloading recordsdata from SharePoint.
Microsoft SharePoint is a web-based collaborative platform that integrates with Microsoft Workplace and 365, primarily as a doc administration and knowledge storage system.
Many corporations use it for doc administration and collaboration, creating web sites and company intranets, automating advanced workflows, and enterprise content material administration purposes.
As a result of sensitivity of SharePoint knowledge, many corporations audit delicate occasions, just like the downloading of knowledge, to set off alerts in cloud entry security instruments, knowledge loss prevention instruments, and security data and occasion administration platforms (SIEMs).
Supply: Varonis
Researchers on the Varonis Menace Labs have devised two easy strategies that allow customers to bypass audit logs or generate much less delicate occasions by downloading knowledge a sure means or disguising it as knowledge syncing actions.
Silent knowledge exfiltration
The primary method described in Varonis’ report takes benefit of SharePoint’s “Open in App” function, which permits customers to open paperwork with purposes like Microsoft Phrase as a substitute of utilizing the net browser, which is the default possibility.
Using this function doesn’t generate a “FileDownloaded” occasion in SharePoint’s audit logs however as a substitute creates an “Entry” occasion that directors could ignore.
Supply: Varonis
Opening the file from a cloud location creates a shell command with the non-expiring URL from the file’s location on the cloud endpoint, which somebody can use to obtain the file with out restrictions.
Varonis additionally notes that misuse of “Open in App” could be each guide and automatic, utilizing a customized PowerShell script that might allow somebody to exfiltrate massive lists of recordsdata shortly.
Supply: Varonis
The second method entails spoofing the Consumer-Agent string of the file entry requests to imitate Microsoft SkyDriveSync, a service used for file synchronization between SharePoint and a person’s native laptop.
This trick makes the file downloads carried out through the browser or Microsoft Graph API seem within the logs as knowledge syncing occasions (“FileSyncDownloadedFull”), lowering the chance of scrutiny by security groups.
On this case, too, the alteration of the Consumer-Agent string and subsequent file exfiltration could be completed manually or through a PowerShell script to automate the method.
Mitigation
Varonis disclosed these bugs in November 2023, and Microsoft added the failings to a patch backlog for future fixing.
Nevertheless, the problems had been rated as average severity, so they will not obtain instant fixes. Due to this fact, SharePoint admins ought to pay attention to these dangers and be taught to establish and mitigate them till patches develop into out there.
Varonis recommends monitoring for prime volumes of entry exercise inside a brief timeframe and the introduction of recent gadgets from uncommon places, which may very well be indicators of unauthorized knowledge exfiltration.
Furthermore, security groups are really useful to scrutinize sync occasions for anomalies in frequency and knowledge volumes and attempt to establish uncommon exercise patterns.
BleepingComputer has reached out to Microsoft to be taught extra about their plans for addressing the problems offered by Varonis, however we’ve but to obtain a remark.
