Hackers can hijack Microsoft’s automation tool to spread malware

According to Michael Bargury, co-founder and CTO of security firm Zenity, who is behind the work, the attack uses the automation tool as it was designed, however, instead of sending legitimate actions, it can be used to deploy malware.

"My research showed that you can very easily, as an attacker, take advantage of all of this infrastructure to do exactly what it is supposed to do.

"You [then] use it to run your own payloads instead of the enterprise payloads," Bargury said.

The researcher documented his work at the DefCon hacker conference last month and has since released the code.

The attack is based on Microsoft's Power Automate, an automation tool that was built into Windows 11.

Power Automate uses a form of robotic process automation, also known as RPA, in which a computer mimics a human's actions to complete tasks. If you want to get a notification each time an RSS feed is updated, you can build a custom RPA process to make that happen. Thousands of these automations exist, and Microsoft’s software can link up Outlook, Teams, Dropbox, and other apps.

The software is part of a broader low-code/no-code movement that aims to create tools people can use to create things without having any coding knowledge. Bargury's company, Zenity, exists to help secure low-code/no-code apps, which enables every business user to have the same level of capability and power that the developer used to have.

From a position in which a hacker has already gained access to someone's computer, Bargury's research looked into whether through phishing or an insider threat. Once an attacker has access to a computer, they need to take a few additional steps to abuse the RPA set-up, but these are relatively simple.

VIEW ALL

"There’s not a lot of hacking here," explained Bargury, who dubbed the whole process Power Pwn and is documenting it on GitHub.

First, an attacker needs to set-up a Microsoft cloud account, known as a tenant, and set it to have admin controls over any machines that are assigned to it. This allows the malicious account to run RPA processes on an end user's device. On the previously compromised machine, all a hack has to do now is assign it to the new admin account. This is done using a simple command line, called silent registration.

"Once you do that, you will get a URL that would allow you, as an attacker, to send payloads to the machine,” Bargury said.

Ahead of Bargury's DefCon talk, he created multiple demos showing how it is possible to use Power Automate to push out ransomware to impacted machines. Other demos show how an attacker can steal authentication tokens from a machine.

"You can exfiltrate data outside of the corporate networks through this trusted tunnel, you can build keyloggers, you can take information from the clipboard, you can control the browser," Bargury explained.

A spokesperson for Microsoft downplayed the potential of the attack, pointing out that an account would need to have been accessed by an attacker before it could be used.

"There is no mechanism by which a fully updated machine with antivirus protections can be remotely compromised using this technique," the Microsoft spokesperson said.

Recommending that people keep their systems up to date, the Microsoft spokesperson added that the technique is built on hypothesis.

"This technique relies on a hypothetical scenario where a system is already compromised or susceptible to a compromise using existing techniques like social engineering – both for the initial and any subsequent network attack,"

This type of attack could be hard to detect, Bargury further explained, as it uses official systems and processes throughout.

"When you think about the architecture, this is a remote code execution tool that is built by Microsoft and signed by Microsoft all throughout the way," Bargury said.

The demos and the steps needed to conduct the attack has been published by Bargury, to help raise awareness of the potential issues companies face.

Microsoft’s team reached out to Bargury prior to his DefCon talk and pointed out that business network admins can restrict access to Power Automate tools by "adding a registry entry" to their devices.

This process would put controls on the account types that can sign into Power Automate, thus reducing the potential for the system to be abused.

To be successful however, Bargury noted that the move relies upon security teams having consistent and clear policies across their organisations, "which isn’t always the case".

While the popularity of RPA tools is increasing, there have already been real-world attacks designed to abuse the platforms.

In early 2020, Microsoft's security team found six hacker groups, including a Chinese APT, inside the network of one company. One of the hacker groups used automated systems to remove data.

"In an uncommon move, the attacker used the customer's existing systems, including e-discovery, the compliance search feature, and Microsoft Flow, to automate stealing its search results," Microsoft wrote in an incident report.

Bargury says companies may need to reassess their policies as the possible risks around low-code/no-code applications become more obvious.

"It’s very important to monitor what RPA agents are doing.

"You cannot really expect to provide all of the business users in an enterprise capabilities that were, up until a few months ago, reserved only to developers and expect everything to go well," Bargury said.

[Related: RAAF and Atturra extend strategic partnership]