Data Exfiltration Techniques in SharePoint

Apr 12 2024

.bh__table, .bh__table_header, .bh__table_cell { border: 1px solid #C0C0C0; }
.bh__table_cell { padding: 5px; background-color: #FFFFFF; }
.bh__table_cell p { color: #2D2D2D; font-family: ‘Helvetica’,Arial,sans-serif !important; overflow-wrap: break-word; }
.bh__table_header { padding: 5px; background-color:#F1F1F1; }
.bh__table_header p { color: #2A2A2A; font-family:’Trebuchet MS’,’Lucida Grande’,Tahoma,sans-serif !important; overflow-wrap: break-word; }

Gone Phishing Banner

Welcome to Gone Phishing, your daily cybersecurity newsletter that's got that Friday feeling πŸŽ‰πŸŽ‰πŸŽ‰

It’s Friday, folks, which can only mean one thing… It’s time for our weekly segment!

It goes by many names. Patch of the Week, Tweak of the week. Okay, that’s it.

Congrats, the cybercriminals are no match… for your patch! 🩹🩹🩹

There’s a patch at the Gates πŸ€“πŸ‘€πŸ˜‚

πŸ›‘οΈ Microsoft Rolls Out Record-Breaking Security Updates for April 2024! πŸš€

This month sees a whopping 149 flaws addressed, with 2 actively exploited vulnerabilities detected in the wild! 😱 Among these are CVE-2024-26234 (Proxy Driver Spoofing) and CVE-2024-29988 (SmartScreen Bypass). πŸ•΅οΈβ€β™‚οΈ

While Sophos uncovered a sneaky backdoor, Microsoft flags 26 Secure Boot flaws! 🚨 Additionally, there's a concerning CVE-2024-29990 (Azure Kubernetes Service) with a CVSS score of 9.0! πŸ’»

Stay vigilant as other vendors also release patches to address vulnerabilities. Check out who else made the list! πŸ› οΈ

Now, on to today’s hottest cybersecurity news stories:

  • πŸ§ͺ Varonis Threat Labs exposes two new techniques to trick SharePoint πŸ‘¨β€πŸ’»

  • 🎣 Revisiting RUBYCARP: a closer look at the recently resurfaced malware πŸ‘Ύ

  • πŸ₯ Hackers are targeting the IT help desks of hospitals, says US Health Dept πŸ›οΈ

Geez, whose side are you guys on? 😬

🚨 Unveiling Stealthy Data Exfiltration Techniques in SharePoint πŸ›‘οΈ

Varonis Threat Labs uncovers two sophisticated techniques within SharePoint enabling users to bypass audit logs and evade detection while exfiltrating sensitive data. These methods pose significant risks to organisations, as they can circumvent traditional security measures, including cloud access security brokers, data loss prevention systems, and SIEMs.

Technique #1: Open in App Method

Exploiting SharePoint's "Open in App" feature, threat actors can access and download files without triggering download events, leaving behind only access logs. Whether executed manually or through PowerShell scripts, this method facilitates rapid and stealthy data exfiltration. πŸ“‚πŸ’»

Technique #2: SkyDriveSync User-Agent

By leveraging the Microsoft SkyDriveSync User-Agent, attackers obscure file downloads as sync events, concealing their malicious activities from audit logs and detection systems. πŸ•΅οΈβ€β™‚οΈπŸ”’

Disclosure and Response

Despite Varonis researchers disclosing these vulnerabilities to Microsoft in November 2023, they remain unaddressed, designated as 'by design.' Consequently, organisations are left vulnerable to exploitation unless proactive measures are taken.

Recommendations for Organizations

Varonis urges organisations to meticulously scrutinise access events across SharePoint and OneDrive audit logs for signs of suspicious activity, including unusual access patterns, volume spikes, or anomalous device usage. Leveraging Varonis' UEBA and AI capabilities can aid in detecting and thwarting such nefarious activities. πŸ•΅οΈβ€β™€οΈπŸ”

As cyber threats evolve, it is imperative for organisations to stay ahead of adversaries by implementing robust security measures and remaining vigilant against emerging tactics. Varonis stands ready to fortify your defences and safeguard your valuable assets against the ever-changing landscape of cyber threats. πŸ›‘οΈπŸ”’

Something smells fishy πŸ‘€

🚨 Revealing the Decade-Long Exploits of RUBYCARP πŸ”

A recent research study has illuminated the extensive activities of the Romanian cyber threat group RUBYCARP, shedding light on their decade-long operation involving cryptocurrency mining and phishing techniques. πŸ•΅οΈβ€β™‚οΈπŸ’»

Key Findings

The study, published by Sysdig, unveils RUBYCARP's utilisation of a sophisticated script capable of deploying multiple cryptocurrency miners simultaneously. By executing these miners concurrently, the group minimises attack duration and detection risks, primarily targeting XMRig/Monero miners. πŸ”—πŸ’°

Phishing Operations

In addition to cryptocurrency mining, RUBYCARP conducts phishing operations to pilfer valuable financial assets, including credit card numbers. The study uncovers a phishing template impersonating the logistics company Bring, targeting Danish users. Compromised email accounts linked to these attacks utilise a PHP script named "" for phishing email dissemination. πŸŽ£πŸ’³

Tools and Techniques

Further analysis reveals RUBYCARP's arsenal of cyber weapons, including specific commands within shell bot code for phishing email transmission. The study also uncovers evidence of potential phishing landing pages targeting European entities, such as Swish Bank and Nets Bank. πŸ’ΌπŸ›‘οΈ

Involvement in Cyber Weapons Development

RUBYCARP's involvement in the development and sale of cyber weapons is highlighted, indicating a rare combination of offensive cyber capabilities. The group's communication methods, predominantly through IRC, remain consistent over the years, with a community dynamic involving mentoring newcomers to the cyber threat scene. πŸ’¬πŸ’Ό

Security Recommendations

Sysdig emphasises the importance of diligent vulnerability management, robust security posture, and runtime threat detection in defending against RUBYCARP. The group's multifaceted approach and breadth of capabilities necessitate proactive security measures to mitigate risks effectively. πŸš¨πŸ”’

As RUBYCARP continues to evolve its tactics and expand its cyber arsenal, organisations must remain vigilant and proactive in safeguarding their assets against emerging threats. Sysdig's research underscores the critical need for comprehensive cybersecurity strategies to counter the ever-evolving landscape of cyber threats. πŸŒπŸ›‘οΈ

🎣 Catch of the Day!! 🌊🐟🦞

Learn AI in 5 minutes a day. We'll teach you how to save time and earn more with AI. Join 400,000+ free daily readers for trending tools, productivity boosting prompts, the latest news, and more.

Have you tried turning it off and on again? πŸ’€

🚨 Health Sector Under Siege: Cyber Threats Target IT Help Desks πŸ–₯️

The U.S. Department of Health and Human Services (HHS) has issued a stark warning, revealing that hackers are employing sophisticated social engineering tactics to infiltrate IT help desks within the Healthcare and Public Health (HPH) sector. πŸ›‘πŸ’»

Alert from HC3

According to the Health Sector Cybersecurity Coordination Center (HC3), attackers are leveraging social engineering ploys to manipulate IT helpdesk personnel and gain unauthorised access to organisations' systems. By posing as employees from the financial department and providing stolen ID verification details, including corporate ID and social security numbers, these threat actors deceive help desk staff into enrolling their own multi-factor authentication (MFA) devices. πŸŽ­πŸ”’

The Modus Operandi

Once armed with control over MFA devices, attackers exploit their newfound access to redirect bank transactions in business email compromise attacks. The threat actor's specific focus lies on gaining access to payer websites, submitting forms to alter ACH payments, and rerouting legitimate transactions to attacker-controlled accounts. πŸ˜ˆπŸ’³

AI Voice Cloning Tactics

To further complicate matters, attackers may employ AI voice cloning tools to mimic trusted voices, making remote identity verification more challenging. This increasingly popular tactic adds another layer of complexity to the already intricate landscape of cyber threats. πŸ€–πŸ”Š

Parallels with Scattered Spider

The tactics employed bear a striking resemblance to those attributed to the notorious Scattered Spider threat group, notorious for employing phishing, MFA bombing, and SIM swapping techniques. This cybercrime syndicate has targeted numerous high-profile organisations, including MGM Resorts and tech giants like Microsoft and Twitter. πŸ•·οΈπŸ’Ό

Defense Strategies

To combat these threats, organisations in the health sector are urged to implement rigorous verification processes, including callbacks for password resets and MFA device requests, monitoring for suspicious ACH changes, and conducting in-person validations for sensitive matters. Training help desk staff to recognize and report social engineering techniques is also crucial in fortifying defences against evolving cyber threats. πŸ›‘οΈπŸ”

As the healthcare industry grapples with escalating cyber risks, proactive measures and heightened vigilance are imperative to safeguarding sensitive data and preserving organisational integrity. πŸ’ͺπŸ₯

πŸ—žοΈ Extra, Extra! Read all about it! πŸ—žοΈ

Every few weeks, we carefully select three hot newsletters to show you. Reputation is everything, so any links we share come from personal recommendation or carefully researched businesses at the time of posting. Enjoy!

  • πŸ›‘οΈ Tl;dr sec: Join 30,000+ security professionals getting the best tools, blog posts, talks, and resources right in their inbox for free every Thursday πŸ“…

  • πŸ’΅Β Crypto Pragmatist: Crypto made simple. Actionable alpha in 5 minutes, 3x a week. Join 47,000+ investors and insiders, for πŸ†“

  • πŸ“ˆΒ Bitcoin Breakdown: The best in Bitcoin, carefully curated by an alien from the future πŸ‘Ύ

Let us know what you think.

So long and thanks for reading all the phish!

footer graphic cyber security newsletter

Recent articles