Apr 10 2024

New SharePoint Technique Lets Hackers Bypass Security Measures

Category: Hacking,Security controlsdisc7 @ 9:36 am

Two new techniques uncovered in SharePoint enable malicious actors to bypass traditional security measures and exfiltrate sensitive data without triggering standard detection mechanisms.

Illicit file downloads can be disguised as harmless activities, making it difficult for cybersecurity defenses to detect them. To accomplish this, the system’s features are manipulated in various ways.

Security researchers from Varonis Threat Labs discovered two SharePoint techniques.

Open-In-App Method

The first technique dubbed the “Open in App Method,” takes advantage of the SharePoint feature, which allows users to open documents directly in their associated applications.

While this feature is designed for user convenience, it has inadvertently created a loophole for data breaches.

Attackers can use this feature’s underlying code to access and download files, leaving behind only an access event in the file’s audit log.

This subtle footprint can easily be overlooked, as it does not resemble a typical download event.

The exploitation of this method can be carried out manually or automated through a PowerShell script.

When automated, the script can rapidly exfiltrate many files, significantly amplifying the potential damage.

The script leverages the SharePoint client object model (CSOM) to fetch files from the cloud and save them to a local computer, avoiding creating a download log entry.

SkyDriveSync User-Agent

The second technique involves the manipulation of the User-Agent string for Microsoft SkyDriveSync, now known as OneDrive, Varonis said.

By masquerading as the sync client, attackers can download files or even entire SharePoint sites.

These downloads are mislabeled as file synchronization events rather than actual downloads, thus slipping past security measures that are designed to detect and log file downloads.

This method is particularly insidious because it can be used to exfiltrate data on a massive scale, and the sync disguise makes it even harder for security tools to distinguish between legitimate and malicious activities.

The use of this technique suggests a sophisticated understanding of SharePoint and OneDrive’s synchronization mechanisms, which could be exploited to systematically drain data from an organization without raising alarms.

Microsoft’s Response And Security Patch Backlog

Upon discovery, Varonis researchers promptly reported these vulnerabilities to Microsoft in November 2023. Microsoft has acknowledged the issue and categorized these vulnerabilities as “moderate” security risks.

They have been added to Microsoft’s patch backlog program, indicating that a fix is in the pipeline but may not be immediately available.

The discovery of these techniques underscores the risks associated with SharePoint and OneDrive, especially when permissions are misconfigured or overly permissive.

Organizations relying on these services for file sharing and collaboration must be vigilant and proactive in managing access rights to minimize the risk of unauthorized data access.

To combat these vulnerabilities, organizations are advised to implement additional detection strategies.

Monitoring for unusual patterns of access events, especially those that could indicate the use of the “Open in App Method,” is crucial.

Similarly, keeping an eye on sync activities and verifying that they match expected user behavior can help identify misuse of the SkyDriveSync User-Agent technique.

Furthermore, organizations should prioritize the review and tightening of permissions across their SharePoint and OneDrive environments.

Regular audits and updates to security policies can help prevent threat actors from exploiting such vulnerabilities in the first place.

Permissions Management in SharePoint Online – A Practical Guide

InfoSec services | InfoSec books | Follow our blog | DISC llc is listed on The vCISO Directory | ISO 27k Chat bot

Tags: SharePoint

Dec 13 2023

Which cybersecurity controls are organizations struggling with?

Category: cyber security,Security controlsdisc7 @ 7:58 am

How well are organizations implementing cybersecurity controls within the Minimum Viable Secure Product (MVSP) framework? A recent examination conducted by Bitsight and Google indicates a mix of positive and negative outcomes, highlighting areas where enhancement is needed.

What is MVSP?

Minimum Viable Secure Product (MVSP) is a baseline security checklist for B2B software and business process outsourcing suppliers, consisting of 25 controls across four key areas – Business, Application Design, Application Implementation, and Operational.

For the “Cybersecurity Control Insights: An Analysis of Organizational Performance” study, Bitsight and Google collaborated to create a methodology to measure organizational cybersecurity performance using Bitsight analytics across the MVSP framework.

The study analyzed the cybersecurity performance of nearly 100,000 organizations around the world across nine industries. Bitsight mapped its risk vectors to 16 of the MVSP controls and reported performance in 2023 and over time (most recently March 2023). Google validated the statistical approach employed in this analysis.

Are organizations meeting cybersecurity performance standards?

The study found that while every industry in 2023 has a high Pass rate for 10 of the 16 MVSP controls studied, many organizations are still failing on controls critical to protecting themselves against cyber incidents.

The findings indicate that organizations across all industries have several areas in which they must improve their vulnerability management program to reduce exposure to potential breaches.

Notably, 2023 Computer Software industry Fail rates for Dependency Patching and Time to Fix Vulnerabilities — which map to Bitsight analytics correlating to the likelihood of a breach — did not improve from 2020 rates as much as the macro average, leaving other industries vulnerable to third-party risk given their reliance on computer software.

But, organizations did have near-100% Pass rates for the following areas:

  • Data handling
  • Incident handling
  • Logging
  • Logical access

They also had high Pass rates for Customer training (contributing to a safer third-party digital ecosystem) and Training (organizations are taking training efforts seriously as human error can have serious consequences).

Organizations across all industries are struggling with controls critical to the health of an organization’s vulnerability management program, Bitsight found.

Eight MVSP controls that are important for vulnerability management – External Testing, Self-assessment, Vulnerability Prevention, Encryption, HTTPS-only, Security Headers, Dependency Patching, Time to Fix Vulnerabilities – have either high 2023 Fail rates, low Pass rates, or both, across all industries.

Finally, there has been a decline in use of security headers, including in the computer software industry.

“We expected CS to outperform in most respects but that is not what we observed. CS’s stagnation — and at times underperformance — may be attributed to many factors, including workforce challenges, rising asset inventories, lacking cybersecurity tools, and more,” the analysts noted.

Keeping up with threats

Business leaders around the world need to understand where their companies’ vulnerabilities lie and how they match up with others to better manage increasingly complex cyber risks and stakeholder demands. By understanding the pass and fail rates of MVSP controls organizations will be better armed with the knowledge to benchmark their security performance and improve their cybersecurity strategies to mitigate and reduce vulnerability.

“It is more important than ever for business leaders to be fully aware of the organization’s application security risk, and how they are performing compared to their peers,” said Chris John Riley, Staff Security Engineer, Google.

“If organizations want to build and maintain a mature security posture in today’s turbulent and fast moving environment, they need leaders that prioritize security management and a culture of constant improvement. Using frameworks like the MVSP, organizations can take the initial necessary steps to develop a strong security culture within their organizations.”

Security Controls Evaluation, Testing, and Assessment Handbook

InfoSec tools | InfoSec services | InfoSec books | Follow our blog | DISC llc is listed on The vCISO Directory

Tags: cybersecurity controls

Sep 10 2023

Security Controls and Vulnerability Management

IS27002 Control:-Vulnerability Management
Why penetration test is important for an organization.
Ensuring the protection of user data in real-time, effectively prioritizing risk, fostering security awareness, devising strategies to identify vulnerabilities, and implementing an incident response protocol aligned with vulnerability management. Following compliance protocols becomes crucial in order to abide by and fulfil regulatory standards.
#informationsecurity #cyberdefense #cybersecurity
Cheat sheet for pentester
Image credit:-https://lnkd.in/eb2HRA3n

Linux Cheat Sheet

InfoSec tools | InfoSec services | InfoSec books | Follow our blog | DISC llc is listed on The vCISO Directory

Tags: vulnerability management

Jun 23 2022

How Is Hospital Critical Infrastructure Protected?

Hospitals hold a lot of sensitive data. When they are hacked, patient information is exposed, putting patients at risk because the hackers can use stolen personal information in several identity theft schemes. The Department of Health and Human Services (HHS) has been working hard to protect hospitals from cyberattacks, but the fact is that while they do the best they can, there will always be breaches and more work to be done. The government is trying everything to ensure that hospitals are protected and that patients are aware of any breaches as quickly as possible when they do occur.

Table of Contents

  1. Hospitals as an important part of the critical infrastructure
  2. Hospitals need special protection to keep patients safe.
  3. Some Of the Specific Things That Can Be Done to Protect Hospitals Against Cyberattacks
  4. There are various practices and systems in place to protect critical infrastructure and hospitals.
  5. Is there anything hospital patients can do to reduce their risk?
  6. Conclusion


Critical Infrastructure Risk Assessment: The Definitive Threat Identification and Threat Reduction Handbook

DISC InfoSec

#InfoSecTools and #InfoSectraining



Tags: Hospital Critical Infrastructure

May 17 2022

Weak Security Controls and Practices

Category: Security controlsDISC @ 9:46 pm

Guide to Understanding Security Controls NIST SP-800 Rev 5

Security Controls Evaluation, Testing, and Assessment Handbook

👇 Please Follow our LI page…

DISC InfoSec

#InfoSecTools and #InfoSectraining



Tags: Weak Security Controls