Hackers Get Stealthier: New SharePoint Flaws Aid Undetected File Theft

Microsoft’s SharePoint, a widely used collaboration platform, has been discovered to have vulnerabilities that could allow attackers to steal files while circumventing detection.

Dodging Security Logs: The Techniques

Researchers at Varonis Labs have identified two concerning methods that leverage these flaws:

• Bypassing Audit Logs: By downloading files in a specific manner, attackers can bypass leaving a trace in the audit logs altogether. This eliminates a crucial red flag for security teams.
• Masquerading as Syncing: Alternatively, attackers can manipulate the “User-Agent” string associated with file access requests. This essentially disguises their activity as legitimate data synchronization performed by Microsoft SkyDriveSync, a common tool for syncing SharePoint files with local machines. This trick makes the downloads appear as routine syncing events (“FileSyncDownloadedFull”) in the logs, making them less likely to raise suspicion.

Both techniques, researchers note, can be executed manually or automated through PowerShell scripts, significantly increasing their efficiency.

Due to the sensitivity of SharePoint data, many companies audit sensitive events, like the downloading of data, to trigger alerts in cloud access security tools, data loss prevention tools, and security information and event management platforms (SIEMs).

Researchers at the Varonis Threat Labs have devised two simple techniques that enable users to bypass audit logs or generate fewer sensitive events by downloading data a certain way or disguising it as data syncing actions.

Silent data exfiltration

The first technique described in Varonis’ report takes advantage of SharePoint’s “Open in App” feature, which allows users to open documents with applications like Microsoft Word instead of using the web browser, which is the default option.

Utilizing this feature does not generate a “FileDownloaded” event in SharePoint’s audit logs but instead creates an “Access” event that administrators may ignore.

Opening the file from a cloud location creates a shell command with the non-expiring URL from the file’s location on the cloud endpoint, which someone can use to download the file without restrictions.

Varonis also notes that misuse of “Open in App” can be both manual and automated, using a custom PowerShell script that could enable someone to exfiltrate large lists of files quickly.

The second technique involves spoofing the User-Agent string of the file access requests to mimic Microsoft SkyDriveSync, a service used for file synchronization between SharePoint and a user’s local computer.

This trick makes the file downloads performed via the browser or Microsoft Graph API appear in the logs as data syncing events (“FileSyncDownloadedFull”), reducing the likelihood of scrutiny by security teams.

In this case, too, the alteration of the User-Agent string and subsequent file exfiltration can be done manually or via a PowerShell script to automate the process.

Patch on Hold, Awareness is Key

While Varonis responsibly disclosed these vulnerabilities to Microsoft in November 2023, the patches are not expected to be rolled out immediately due to a classification of “moderate severity.” This leaves a window of opportunity for attackers to exploit these flaws.

Here’s what SharePoint administrators can do to mitigate the risks:

• Stay Informed: Keeping up-to-date on the latest security threats is crucial.
• Monitor for Anomalies: Pay close attention to audit logs for signs of unusual activity, such as high volumes of file access within short timeframes or access attempts from unrecognized devices or locations.
• Consider Additional Security Measures: Implementing advanced security solutions that can detect suspicious behavior beyond basic log monitoring can provide an extra layer of protection.

By staying vigilant and implementing these mitigation strategies, SharePoint administrators can reduce the risk of falling victim to these data exfiltration techniques until permanent fixes become available.

---

You think you have a story worth everyone’s time? SUBMIT A STORY and we will publish it.