According to a recent discovery by Varonis Threat Labs, two new techniques have emerged that pose a significant threat to data security within SharePoint, a widely used platform for file management. These techniques enable users to evade detection and retreat files without triggering alarm bells in audit logs.
Technique 1: Open in App Method
The first technique leverages SharePoint's "open in app" feature, allowing users to access and download files while leaving behind only access events in the file's audit log. This method, which can be executed manually or through automated scripts, enables rapid exfiltration of multiple files without raising suspicion.
Technique 2: SkyDriveSync User-Agent
The second technique exploits the User-Agent for Microsoft SkyDriveSync, disguising file downloads as sync events rather than standard downloads. By mislabeling events, threat actors can bypass detection tools and policies, making their activity harder to track.
Implications for Security
These techniques pose a significant challenge to traditional security tools such as cloud access security brokers and data loss prevention systems. By hiding downloads as less suspicious access and sync events, threat actors can circumvent detection measures and potentially exfiltrate sensitive data unnoticed.
Microsoft's Response
Despite Varonis disclosing these methods to Microsoft, the tech giant has designated them as a "moderate" security concern and has not taken immediate action to address them. As a result, these vulnerabilities remain in SharePoint deployments, leaving organisations vulnerable to exploitation.
Recommendations for Organisations
To alleviate the risk posed by these techniques, organisations are advised to closely monitor access events in their SharePoint and OneDrive audit logs. Varonis recommends leveraging User and Entity Behavior Analytics (UEBA) and AI features to detect and stop suspicious activities, such as mass file access.
What Are the Risks?
While SharePoint and OneDrive are essential tools for facilitating file access in organisations, misconfigured permissions and access controls can inadvertently expose sensitive data to unauthorised users. Threat actors often exploit these misconfigurations to exfiltrate data, posing a significant risk to organisations across various industries.
Detection and Prevention Strategies
To detect and prevent unauthorised data exfiltration, organisations should implement detection rules that consider behavioural patterns, including frequency and volume of sync activity, unusual device usage, and synchronisation of sensitive folders. By analysing these parameters, organisations can identify and mitigate potential threats before they escalate.
In a recent set of events, reports have surfaced of a significant cyberattack on Microsoft, allegedly orchestrated by Russian hackers. This breach, attributed to a group known as Midnight Blizzard or Nobelium, has raised serious concerns among cybersecurity experts and the public alike.
The attack targeted Microsoft's source code repositories, exposing sensitive company information and communications with partners across various sectors, including government, defence, and business. While Microsoft assures that no customer-facing systems were compromised, the breach has far-reaching implications for national and international security.
Cybersecurity experts warn of the potential for increased zero-day vulnerabilities, which are undiscovered security flaws that can be exploited by hackers. Access to source code provides attackers with a "master key" to infiltrate systems, posing a significant threat to organisations and users worldwide.
The severity of the breach has prompted strong reactions from industry professionals. Ariel Parnes, COO of Mitiga, describes the incident as "severe," emphasising the critical importance of source code security in the digital age. Shawn Waldman, CEO of Secure Cyber Defense, condemns the attack as a "worst-case scenario," highlighting the broader implications for national security.
The compromised data includes emails of senior leadership, confidential communications with partners, and cryptographic secrets such as passwords and authentication keys. Larry Whiteside Jr., a cybersecurity expert, warns of potential compliance complications for Microsoft users and partners, as regulators scrutinise the breach's impact on data protection laws.
As the fallout from the breach unfolds, there are growing concerns about the emergence of zero-day vulnerabilities and the need for proactive defence measures. Experts stress the importance of threat hunting and incident response planning to mitigate the risks posed by sophisticated cyber threats.
The incident underscores the ongoing battle in the global cyber warfare landscape, where even tech giants like Microsoft are not immune to attacks. With cybercriminals increasingly targeting supply chains, the need for enhanced security measures has never been more urgent.
The breach of Microsoft's systems serves as a wake-up call for individuals and organisations alike. It highlights the ever-present threat of cyberattacks in an increasingly interconnected world and underscores the need for enhanced cybersecurity measures. By staying vigilant and proactive, establishments can mitigate the risks posed by cyber threats and protect their digital assets from exploitation.
As the field of cybersecurity keeps changing and developing, stakeholders must work together to address the underlying threats and ensure the protection of critical infrastructure and data. This recent breach of Microsoft's security by Russian hackers has raised serious concerns about the vulnerability of digital systems and the need for robust cybersecurity measures.
Among other things, the guidelines mandate that a "material" cybersecurity event be reported to the SEC within four days of its classification as such. The SEC states that they were meant to give investors timely and “decision-useful” cybersecurity information; nevertheless, experts point out that several of the early disclosures only included rudimentary breach details, raising significant concerns that remain unaddressed.
According to Scott Kimpel, a partner at Hunton Andrews Kurth, "Some of these disclosures, I think, are question-begging." "They just provide us with superficial, newsworthy details about the occurrence.
Companies must assess an incident's materiality "without unreasonable delay following discovery and, if the incident is determined material, file an Item 1.05 Form 8-K generally within four business days of such determination," according to SEC regulations.
The incident's "material impact or reasonably likely material impact," as well as its material features of nature, scope, and chronology, must all be disclosed.
"Norms have not yet been established because we're early in the process," stated Richard Marcus, head of information security at cloud-based risk management startup AuditBoard. Therefore, Companies ask themselves, "How much can I get away with here? What exactly are my stockholders hoping to get? I believe that businesses are benchmarking against each other quite a bit."
Without mentioning any particular businesses, Kimpel claimed that some have submitted puzzling incident disclosures, in which they discuss a breach that hasn't yet had a major impact on their business operations and might or might not ultimately have a material impact on their financial situation.
According to Kimpel, one argument is that these businesses might be disclosing a breach that they considered significant from a "qualitative" as opposed to a "quantitative" standpoint. Financial injury is one type of qualitative material impact, he said, while reputational harm and the possibility of future legal or regulatory problems are among the "almost endless list of possibilities" that make up quantitative material consequences.
Except for smaller reporting companies, all covered firms had to abide by the revised breach disclosure requirements as of December 18. As of June 5, smaller reporting organizations will have to comply with them.
Microsoft revealed in an Item 1.05 Form 8-K filing in January that a "nation-state associated threat actor" had obtained access to and exfiltrated data from a "very small percentage" of employee email accounts, comprising staff members in the company's legal, cybersecurity, and senior leadership teams, among other departments.
Among the businesses that have used similar language in breach disclosures submitted to the SEC following the new cybersecurity regulations are HP Enterprise and Prudential Financial.
As the Wall Street Journal reported in January, Microsoft notified the SEC of the breach even though, at the time of its regulatory filing, the company's investigation had not revealed any consequences that would have exceeded the agency's material damage criteria. The corporation stated, "But because the law is so new, we wanted to make sure we honor the spirit of the law," as stated in the Journal article.
According to Kimpel, SEC filings may create investor confusion when businesses disclose breaches that don't seem to be as serious as they claim, sometimes without explaining their actions.
In a move to enhance user experience, Microsoft has predicated its PC Cleaner app, now conveniently available on the Microsoft Store for both Windows 10 and Windows 11 users. Similar to popular third-party tools like CCleaner, this application aims to declutter system folders, potentially boosting your computer's performance.
Developed and tested since 2022 under the name PC Manager, originally intended for the Chinese market, the app is now accessible in more regions, including the United States. While it might not be visible on all Windows 11 devices just yet, an official Microsoft PC Cleaner page assures users that it is on its way.
The PC Cleaner offers various features through a new floating toolbar. Users can expect tools like PC Boost, focusing on eliminating unnecessary processes and temporary files. The Smart Boost option efficiently handles spikes in RAM usage and large temporary files exceeding 1 GB. Another feature, Deep Cleanup, targets older Windows update files, recycle bin items, web cache, and application caches, giving users the flexibility to choose what to keep or remove.
The Process tool provides a comprehensive view of all running processes, allowing users to end any process within PC Cleaner without the need for Task Manager. The Startup feature empowers users to manage applications launching at startup, optimising system boot times. Large Files tool deftly locates sizable files on any drive, streamlining the process compared to manual searches through File Explorer.
Additional tools include Taskbar Repair to revert it to its original state and Restore Default Apps, which restores default app preferences. Notably, Microsoft seems to use the latter feature to encourage users to explore Microsoft apps, such as Edge.
Microsoft has been critical of third-party system cleaner apps in the past, expressing concerns about potential harm to crucial system files. Despite labelling apps like CCleaner as potentially unwanted programs (PUPs), they are still available for download from the Microsoft Store. However, with PC Cleaner, Microsoft assures users that the application, designed in-house, won't delete necessary system files, presenting a safer alternative to third-party options.
Offering a host of useful tools for free, PC Cleaner aligns with Microsoft's commitment to providing quality applications for Windows users. The app, matching your Windows theme, is set to be a secure and reliable choice straight from the Microsoft Store. While third-party apps like CCleaner have faced security concerns in the past, PC Cleaner's direct association with Microsoft provides users with a trustworthy solution. The app is free to use, and an official Microsoft page for PC Cleaner suggests a direct download link will be available soon for those who can't find it on the Microsoft Store yet.
To simplify this, Microsoft's introduction of PC Cleaner signifies a positive step toward providing users with a reliable, in-house solution for system optimisation. With its user-friendly features and assurance of not deleting crucial system files, PC Cleaner aims to facilitate the ins and outs of PC performance for Windows users.
The attack was first detected on January 12th, and Microsoft in its initial investigation attributed the attack to the Russian threat actors, known famously as Nobelium or APT-29.
Microsoft informs that the threat actors launched the attacks in November 2023, in which they carried out a password spray attack in order to access a legacy non-production test tenant account.
A password spray attack is a type of brute force attack where threat actors collect a list of potential login names and then attempt to log in to all of them using a particular password. If that password fails, they repeat this process with other passwords until they run out or successfully breach the account.
Since the hackers were able to access accounts using a brute force attack, it is clear that it lacked two-factor authentication or multi-factor authentication.
Microsoft claims that after taking control of the "test" account, the Nobelium hackers utilized it to access a "small percentage" of the company's email accounts for more than a month.
It is still unclear why a non-production test account would have the ability to access other accounts in Microsoft's corporate email system unless the threat actors utilized this test account to infiltrate networks and move to accounts with higher permissions.
Apparently, these breached accounts include members of Microsoft’s leadership team and employees assigned to the cybersecurity and legal departments, targeted by hackers to steal emails and attachments.
"The investigation indicates they were initially targeting email accounts for information related to Midnight Blizzard itself," the Microsoft Security Response Center shared in a report on the incident.
"We are in the process of notifying employees whose email was accessed."
Microsoft reaffirms that the incident was caused by the brute force password attack, rather than a vulnerability in their product services.
However, it seems that Microsoft’s poorly managed security configuration played a major role in the success of the breach.
While this investigation is underway, Microsoft stated that they will release more information when it is appropriate.
The boom in AI technology has raised concerns over its potential to replace millions of jobs across the world. This week, the International Monetary Fund (IMF) reported that around 40% of all jobs will be impacted by the growing AI.
While Gates does not disagree with the stats, he believes, and history has it, that with every new technology comes fear and then new opportunities.
“As we had [with] agricultural productivity in 1900, people were like ‘Hey, what are people going to do?’ In fact, a lot of new things, a lot of new job categories were created and we’re way better off than when everybody was doing farm work,” Gates said. “This will be like that.”
AI, according to Gates, will make everyone's life easier. He specifically mentioned helping doctors with their paperwork, saying that it is "part of the job they don't like, we can make that very efficient," in a Tuesday interview with CNN's Fareed Zakaria.
He adds that since there is not a need for “much new hardware,” accessing AI will be over “the phone or the PC you already have connected over the internet connection you already have.”
Gates believes that improvements with OpenAI’s ChatGPT-4 were “dramatic since the AI bot can essentially “read and write,” this way it is “almost like having a white-collar worker to be a tutor, to give health advice, to help write code, to help with technical support calls.”
He notes that incorporating new technology into sectors like education and medicine will be “fantastic.”
Microsoft and OpenAI have a multibillion-dollar collaboration. Gates remains one of Microsoft's biggest shareholders.
In his interview with Zakaria at Davos for the World Economic Forum, Bill Gates noted that the objective of Gates Foundation is “to make sure that the delay between benefitting people in poor countries versus getting to rich countries will make that very short[…]After all, the shortages of doctors and teachers is way more acute in Africa then it is in the West.”
However, the IMF had a more pessimistic view in this regard. The group believes that AI has the potential to ‘deepen inequality’ with any politician’s interference.