Automating mundane work tasks has become easier over the past few years. Using drag-and-drop automation software, you can track your working hours in a spreadsheet or automatically create a to-do list item when someone mentions you in an email. The tools can make your life easier, but they carry risks.
One security researcher has found a way to hijack Microsoft’s software automation tool to send ransomware to connected machines and steal data from devices. The attack uses the automation tool as it was designed, but instead of sending legitimate actions, it can be used to deploy malware, says Michael Bargury, the cofounder and CTO of security firm Zenity, which is behind the work.
“My research showed that you can very easily, as an attacker, take advantage of all of this infrastructure to do exactly what it is supposed to do,” Bargury says. “You [then] use it to run your own payloads instead of the enterprise payloads.” The researcher documented his work at the DefCon hacker conference last month and has since released the code.
The attack is based on Microsoft’s Power Automate, an automation tool that was built into Windows 11. Power Automate uses a form of robotic process automation, also known as RPA, in which a computer mimics a human’s actions to complete tasks. If you want to get a notification each time an RSS feed is updated, you can build a custom RPA process to make that happen. Thousands of these automations exist, and Microsoft’s software can link up Outlook, Teams, Dropbox, and other apps.
The software is part of a broader low-code/no-code movement that aims to create tools people can use to create things without having any coding knowledge. “Every business user now has the power that the developer used to have,” Bargury says. His company exists to help secure low-code/no-code apps.
Bargury’s research starts from a position in which a hacker has already gained access to someone’s computer—whether through phishing or an insider threat. (While computers within businesses are frequently insecure—from a lack of patching and updates, for example—starting at this point means an attacker would have already gotten into a corporate network.)
Once an attacker has access to a computer, they need to take a few additional steps to abuse the RPA setup, but these are relatively simple. “There’s not a lot of hacking here,” says Bargury, who dubbed the whole process Power Pwn and is documenting it on GitHub.
First, an attacker needs to set up a Microsoft cloud account, known as a tenant, and set it to have admin controls over any machines that are assigned to it. This essentially allows the malicious account to run RPA processes on an end user’s device. On the previously compromised machine, all a hack has to do now is assign it to the new admin account—this is done using a simple command line, called silent registration.
“Once you do that, you will get a URL that would allow you, as an attacker, to send payloads to the machine,” Bargury says. Ahead of his DefCon talk, he created multiple demos showing how it is possible to use Power Automate to push out ransomware to impacted machines. Other demos show how an attacker can steal authentication tokens from a machine. “You can exfiltrate data outside of the corporate networks through this trusted tunnel, you can build keyloggers, you can take information from the clipboard, you can control the browser,” Bargury says.