SharePoint security flaw helps criminals evade detection

Ransomware
Image credit: Shutterstock (Image credit: Shutterstock)

New research has uncovered two new techniques that allow hackers to exfiltrate files from Sharepoint without triggering download events.

A report from Varonis Threat Labs found the techniques used allow threat actors to avoid detection by hiding the download of exfiltrated files as more inconspicuous access and synchronization events.

By using this method, the threat actors can dodge the traditional cloud access security and data loss prevention tools that would otherwise detect the intrusion.

Two ways to escape

The first technique, described by Varonis as the ‘Open in App Method’, takes advantage of code used in the ‘open in app’ feature of Sharepoint, allowing the threat actor to access and download files via Sharepoint either through a Powershell script or manually, leaving just a single trace of evidence behind - the access event in the file’s audit log.

The second method, described as ‘SkyDriveSync User-Agent’, mislabeled file events as synchronisations rather than downloads by abusing the User-Agent for Microsoft SkyDriveSync, allowing the threat actor to hide almost completely from policy enforcement, audit logs, and detection.

Both methods allow threat actors to extract huge volumes of data very quickly, and while no patch has been made available for these vulnerabilities by Microsoft, Varonis Threat Labs recommends that access events be monitored closely across both SharePoint and OneDrive.

Microsoft recently released a vulnerability patch that addressed 149 security flaws, two of which were critical zero-day vulnerabilities.

More from TechRadar Pro

Benedict Collins
Staff Writer (Security)

Benedict has been writing about security issues for close to 5 years, at first covering geopolitics and international relations while at the University of Buckingham. During this time he studied BA Politics with Journalism, for which he received a second-class honours (upper division). Benedict then continued his studies at a postgraduate level and achieved a distinction in MA Security, Intelligence and Diplomacy. Benedict transitioned his security interests towards cybersecurity upon joining TechRadar Pro as a Staff Writer, focusing on state-sponsored threat actors, malware, social engineering, and national security. Benedict is also an expert on B2B security products, including firewalls, antivirus, endpoint security, and password management.