Varonis Threat Labs has identified vulnerabilities within SharePoint that allow malicious actors to bypass audit logs, potentially enabling unauthorized data exfiltration without alerting the security teams. Despite the report to Microsoft in November, the tech giant has classified this as a moderate security issue and placed it in the queue for future patches, without specifying a timeline for resolution.
Technical Insights on the Exploits
The vulnerabilities hinge on two primary methods that misrepresent file downloads as either access or file sync events within SharePoint's logging system. The first method involves using a PowerShell script combined with SharePoint's client object model to download files. This action triggers an access log instead of a download log, making it difficult to detect unauthorized data downloads. The second method exploits OneDrive synchronization with SharePoint, where altering the User-Agent can disguise downloads as sync events, thus evading traditional detection mechanisms.
The Register reports that Microsoft has responded to these findings by stating that SharePoint is operating as designed, capturing file access through its audit logs. The company advises security vendors to monitor FileAccessed, FileDownloaded, FileSyncDownloadedFull, and FileSyncDownloadedPartial audit events for comprehensive file access surveillance.
Recommendations and Security Measures
Given the reliance of these exploits on improperly configured SharePoint permissions—a common issue in Microsoft's ecosystem—Varonis emphasizes the importance of regular system reviews. Companies should scrutinize their systems for unusual access patterns or abnormal audit logs that may indicate unauthorized activities. While Microsoft has yet to address these vulnerabilities directly, understanding and monitoring the potential indicators of exploitation can help mitigate the risks associated with these audit log bypass methods.
Varonis's research further highlights the broader issue of data exposure within cloud environments, noting that a significant portion of company data is often inadvertently accessible to all employees. This accessibility, coupled with the newly discovered exploits, underscores the need for stringent permission settings and vigilant monitoring of SharePoint environments to safeguard against potential data breaches.