New covert SharePoint knowledge exfiltration methods revealed


Varonis Menace Labs researchers have uncovered two methods attackers can use can use for covert knowledge and file exfiltration from firms’ SharePoint server.

“These methods can bypass the detection and enforcement insurance policies of conventional instruments, equivalent to cloud entry safety brokers, knowledge loss prevention, and SIEMs, by hiding downloads as much less suspicious entry and sync occasions,” they famous.

The methods, and why they could work

Microsoft SharePoint is utilized by organizations to facilitate worker collaboration, simplify doc/content material administration and storage, arrange an intranet portal by which enterprise info and apps will be accessed, and extra.

The 2 methods will be leveraged by a menace actor who has compromised an worker’s account or by a malicious insider.

Attackers can covertly exfiltrate knowledge in one in every of two methods:

  • Through the use of the “Open in Desktop App” function in SharePoint to entry and save an area copy of information or by accessing them instantly through a particular hyperlink
  • By downloading information from SharePoint however altering the browser’s Person-Agent to Microsoft SkyDriveSync

“By combining PowerShell with SharePoint shopper object mannequin (CSOM), menace actors can write a script that fetches the file from the cloud and saves it to the native laptop with out leaving a obtain log footprint. This script will be prolonged to map a whole SharePoint website and, utilizing automation, obtain all of the information to the native machine,” the researchers famous.

“By altering the browser’s Person-Agent, it’s potential to obtain information through typical strategies, just like the GUI or Microsoft Graph API,” they defined, and added that these actions can be automated through a PowerShell script.

In each circumstances, the actions should not recorded in “file obtain” logs however solely in “file entry” and/or “file sync” logs, and are unlikely to set off detection guidelines, which often deal with obtain logs.

Information exfiltration detection recommendation (till a repair is launched)

The researchers have shared their findings with Microsoft in November 2023 and the corporate mentioned it can repair the vulnerabilities – however not instantly, as they take into account them to be solely reasonably extreme.

“A possible repair might be including a brand new log indicating that the file has been opened within the app. This, coupled with a little bit of behavioral evaluation, may assist point out if information are being exfiltrated,” Varonis Menace Labs Safety Analysis Group chief Eric Saraga advised Assist Internet Safety.

Within the meantime, organizations ought to hold a better eye on entry logs and incorporate sync occasions into new detection guidelines, which needs to be triggered by uncommon behaviors (better quantity, uncommon units, new geolocation, and so on.).

UPDATE (April 10, 2024, 12:40 p.m. ET):

Varonis up to date its analysis to say that “on April 10, 2024, Microsoft closed out the ticket for the SharePoint methodology as ‘by design’ and believes that clients don’t have to take motion. This performance will stay in SharePoint deployments till additional discover.”


Lascia un commento

Il tuo indirizzo email non sarà pubblicato. I campi obbligatori sono contrassegnati *