Search This Blog

Powered by Blogger.

Blog Archive

Labels

Showing posts with label SharePoint. Show all posts

Secrets of SharePoint Security: New Techniques to Evade Detection

 



According to a recent discovery by Varonis Threat Labs, two new techniques have emerged that pose a significant threat to data security within SharePoint, a widely used platform for file management. These techniques enable users to evade detection and retreat files without triggering alarm bells in audit logs.

Technique 1: Open in App Method

The first technique leverages SharePoint's "open in app" feature, allowing users to access and download files while leaving behind only access events in the file's audit log. This method, which can be executed manually or through automated scripts, enables rapid exfiltration of multiple files without raising suspicion.

Technique 2: SkyDriveSync User-Agent

The second technique exploits the User-Agent for Microsoft SkyDriveSync, disguising file downloads as sync events rather than standard downloads. By mislabeling events, threat actors can bypass detection tools and policies, making their activity harder to track.

Implications for Security

These techniques pose a significant challenge to traditional security tools such as cloud access security brokers and data loss prevention systems. By hiding downloads as less suspicious access and sync events, threat actors can circumvent detection measures and potentially exfiltrate sensitive data unnoticed.

Microsoft's Response

Despite Varonis disclosing these methods to Microsoft, the tech giant has designated them as a "moderate" security concern and has not taken immediate action to address them. As a result, these vulnerabilities remain in SharePoint deployments, leaving organisations vulnerable to exploitation.

Recommendations for Organisations

To alleviate the risk posed by these techniques, organisations are advised to closely monitor access events in their SharePoint and OneDrive audit logs. Varonis recommends leveraging User and Entity Behavior Analytics (UEBA) and AI features to detect and stop suspicious activities, such as mass file access.

What Are the Risks?

While SharePoint and OneDrive are essential tools for facilitating file access in organisations, misconfigured permissions and access controls can inadvertently expose sensitive data to unauthorised users. Threat actors often exploit these misconfigurations to exfiltrate data, posing a significant risk to organisations across various industries.

Detection and Prevention Strategies

To detect and prevent unauthorised data exfiltration, organisations should implement detection rules that consider behavioural patterns, including frequency and volume of sync activity, unusual device usage, and synchronisation of sensitive folders. By analysing these parameters, organisations can identify and mitigate potential threats before they escalate.




Sidestepping SharePoint Security: Two New Techniques to Evade Exfiltration Detection

Sidestepping SharePoint Security

Recently, Varonis Threat Labs uncovered two novel techniques that allow threat actors to sidestep SharePoint security controls, evading detection while exfiltrating files.

In this blog, we delve into these techniques and explore their implications for organizations relying on SharePoint for collaboration and document management.

The Techniques

1. Open in App Method

The first technique leverages the “open in app” feature in SharePoint. Here’s how it works:

Objective: Access and download files while leaving minimal traces in the audit log.

Execution:

  • Users manually open files in the SharePoint app, triggering an “access event” in the audit log.
  • Alternatively, threat actors can automate this process using a PowerShell script.

Advantages:

  • Rapid exfiltration of multiple files.
  • Hides the actual download event, making it less suspicious.

2. SkyDriveSync User-Agent

The second technique exploits the User-Agent associated with Microsoft SkyDriveSync. Here’s how it operates:

Objective: Download files (or entire sites) while mislabeling events as file syncs instead of downloads.

Execution:

  • Threat actors manipulate the User-Agent header to mimic SkyDriveSync behavior.
  • SharePoint logs these events as file syncs, which are less likely to raise suspicion.

Advantages:

  • Conceals exfiltration activity from audit logs.
  • Bypass detection mechanisms that focus on download events.

Implications and Mitigation

These techniques pose significant challenges for organizations relying on SharePoint for collaboration and data management. Here are some considerations:

1. Audit Log Monitoring: Organizations must enhance their audit log monitoring capabilities to detect anomalies related to access events and file syncs. Regular review of audit logs can help identify suspicious patterns.

2. User Training: Educate users about the risks associated with the “open in app” feature and the importance of adhering to security policies. Limit access to this feature where possible.

3. User-Agent Analysis: Security teams should closely analyze User-Agent headers to differentiate legitimate file syncs from potential exfiltration attempts. Anomalies in User-Agent strings may indicate malicious activity.

4. Behavioral Analytics: Implement behavioral analytics to identify abnormal user behavior. Unusual download patterns or frequent use of the “open in app” feature should trigger alerts.

5. Policy Enforcement: Consider adjusting security policies to account for these techniques. For example, enforce stricter controls on file sync events or limit access to certain SharePoint features.

Reminder for businesses

Security is a continuous journey, and staying informed is the first step toward effective risk mitigation.  By understanding these SharePoint evasion techniques, organizations can better protect their sensitive data and maintain the integrity of their collaboration platforms.

Phishing Attacks Can Now Dodge Microsoft 365's Multi-Factor Authentication


Of late a phishing attack was found to be stealing confidential user data that was stored on the cloud.
As per sources, this is the work of a new phishing campaign that dodges the Office 365 Multi-Factor Authentication (MFA) to acquire the target’s cloud-stored data and uses it as bait to extract a ransom in Bitcoin.

Per reports, researchers discovered that the campaign influences the “OAuth2 framework and OpenID Connect (OIDC) protocol”. It employs a malicious “SharePoint” link to fool the targets into giving permission to “rogue” applications.

MFAs are used as a plan B in cases where the users’ passwords have been discovered. This phishing attack is different because it tries to fool its targets into helping the mal-actors dodge the MFA by giving permissions.

This campaign is not just about gaining ransoms via exploiting the stolen data it is that and the additional threat of having sensitive and personal information at large for others to exploit as well. Extortion and blackmail are among the first things that the data could be misused for.

Sources mentioned that via obtaining basic emails and information from the target’s device, the attacker could easily design “hyper-realistic Reply-Chain phishing emails.”

The phishing campaign employs a commonplace invite for a SharePoint file, which happens to be providing information regarding a “salary bonus”, which is good enough for perfunctory readers to get trapped, mention reports.

The link when clicked on redirects the target to an authentic login page of Microsoft Office 365. But if looked on closely, the URL looks fishy and created without much attention to detail, thus say the security experts.

Reportedly, access to Office 365 is acquired by getting a token from the Microsoft Identity Platform and then through Microsoft Graph authorizations. OIDC is used to check on the user granting the access if authentication comes through then the OAuth2 grants access for the application. During the process, the credentials aren’t revealed to the application.

The URL contains “key parameters” that explain how targets could be tricked into granting permissions to rogue applications on their account. Key parameters signify the kind of access that is being demanded by the Microsoft Identity Platform. In the above-mentioned attack, the request included the ID token and authentication code, mentioned sources.

If the target signs in on the SharePoint link that was delivered via the email they’ll be providing the above-mentioned permissions. If the target doesn’t do so, it will be the job of the domain administrators to handle any dubious activities.

This phishing campaign is just an example of how these attack mechanisms have evolved over the years, to such an extent that they could now try to extort sensitive data out of people seemingly by tricking them into providing permissions without an inkling of an idea of what is actually up.