Contents:
Two methods that researchers have found might allow attackers to get around audit logs or produce less serious entries when they download data from SharePoint.
Due to the sensitivity of SharePoint data, a lot of businesses audit sensitive occurrences, such as data downloads, to set off alarms in security information and event management platforms (SIEMs), cloud access security solutions, and data loss prevention tools.
Two easy methods that users can employ to get around SharePoint’s audit logs or create less sensitive events by downloading data in a certain way or passing it off as data synchronization operations have been developed by security experts.
What Are the Exfiltration Methods?
The first method makes use of SharePoint’s “Open in App” functionality, which lets users open documents using programs other than the normal web browser, including Microsoft Word.
When this feature is used, SharePoint audit logs provide an “Access” event that administrators can choose to ignore rather than a “FileDownloaded” event.
Access Events Created from a Series of File Exfiltrations (Source)
A shell command containing the non-expiring URL from the file’s position on the cloud endpoint is created when a file is opened from a cloud location, and this command can be used by anybody to download the file without any limitations.
The researchers also point out that abusing “Open in App” may be done manually or automatically with the use of a customised PowerShell script, which could make it possible for someone to easily exfiltrate huge lists of data.
The second technique involves Microsoft SkyDriveSync, a service that synchronises files between a user’s local computer and SharePoint, by faking the User-Agent string of the file access requests.
By using this approach, the chances of security teams looking into file downloads made through the browser or Microsoft Graph API are decreased because they show up in the logs as data syncing events (“FileSyncDownloadedFull”).
The User-Agent string modification and subsequent file exfiltration in this instance can either be carried out manually or automatically by a PowerShell script.
Mitigating the Flaws
The bugs were disclosed in November 2023 and Microsoft added them to a patch backlog for future fixing.
The problems won’t be fixed right away, though, because they were classified as moderately serious. Consequently, until patches are released, SharePoint administrators need to be aware of these dangers and understand how to recognise and reduce them.
The security researchers recommend monitoring for high volumes of access activity within a short timeframe and the introduction of new devices from unusual locations, which could be signs of unauthorized data exfiltration.
It is also recommended that security teams examine sync events closely to look for irregularities in data volumes and frequency as well as odd activity patterns.
BleepingComputer reached out to Microsoft to learn more about their plans on addressing the SharePoint flaws, and the company through a spokesman had the following to say:
We’re aware of this report and our customers do not need to take action. We have confirmed that the product is performing as expected, by detecting a file accessed and reporting that through the audit log.
Security products and vendors should be using FileAccessed, FileDownloaded, plus two potential sync-related signals, FileSyncDownloadedFull and FileSyncDownloadedPartial audit events to monitor for file access.
Microsoft Spokesperson to BleepingComputer (Source)
If you liked this piece, follow us on LinkedIn, Twitter, Facebook, and YouTube for more cybersecurity news and topics.