A research firm recently published methods for attackers to hijack automation tools that ship with Windows 11 to distribute malware and steal data across networks. The process comes with some caveats but marks another area of concern for IT security. The vulnerability centers on Power Automate, a tool Microsoft packages with Windows 11 that lets users automate tedious or repetitive asks across various programs. Users can automatically backup files, convert batches of files, move data between programs, and more, optionally automating actions across groups through a cloud. Power Automate comes with many pre-made functions, but users can create new ones by recording their actions, which the tool can later repeat. The program could gain widespread use because it requires little-to-no coding knowledge. Michael Bargury, CTO of security company Zenity, thinks attackers can use Power Automate to more quickly spread malware payloads, explaining how in a June Defcon presentation. He released the code for the attack, called Power Pwn, in August.
Image credit: Windows Report The biggest obstacle to hacking with Power Automate is the fact that an attacker needs to already have access to someone’s computer or have penetrated a network through other nefarious methods. Bargury told Wired that if an attacker then creates a Microsoft cloud account with administrative privileges, they can use automated processes to push ransomware or steal authentication tokens. Attacks using Power Automate could be harder to detect because it technically isn’t malware and carries an official Microsoft signature. Microsoft wrote about a 2020 incident in which attackers used a company’s automation tools against it. Windows 11 and Power Automate weren’t around back then, but the case provides a real-world example of the same fundamental technique. Microsoft claims any fully updated system can defend against such threats and that networks can isolate compromised systems with registry entries. However, these safeguards, like all others, require prudence that users and companies don’t always exhibit.