A Windows 11 Automation Tool for ransomware attacks
Hackers can use Microsoft's Power Automate to carry out ransomware attacks if they first gain access to the computer. The tool Automating Mundane Works has been easy to use over the years. With drag-and-drop automation software, users can keep track of their work hours in a spreadsheet. An automatic to-do list item is created when mentioned in an email. This tool makes working easier but is associated with minimal risks.
A security researcher created a way by which Microsoft's software automation tool can send ransomware to connected computers and hijack data from different devices. The attack uses the automation tool designed but uses malware. Micheal Bargury confirmed this statement, the co-founder and CTO of the security firm Zenity, is the brains behind the work.
The attack is focused solely on Microsoft’s Power Automate. It's an automation tool built into windows 11. It's an automation tool that uses a robot method to finish tasks. You can create a custom RPA method to get notifications when an RSS feed is updated. This automation often happens with Microsoft software linking Outlook, Dropbox, and other apps.
The software is an element of a more significant low-code/no-code movement, which intends to produce tools that enable non-programmers to develop several things. According to Bargury, "any business person now has the ability that the programmer used to have." His firm helps protect low-code and no-code applications.
Perhaps through hacking or an insider threat, Bargury's research considers that a hacker has already gotten access to someone's computer. While business computers often lack fixes and upgrades, it also makes them unsafe, and at this stage, an attacker must have already gotten access to a company network.
When an attacker has gained access to a computer, a few additional steps need to be taken to destabilise the RPA setup. The steps are pretty simple, and not much hacking is required here, as explained by Bargury.
Due to the use of official processes and controls continuously, this kind of attack can be challenging to identify, according to Bargury. When you analyze the design, this is a malware tool created by Microsoft and continually signed by the company, according to Bargury. To try and raise awareness of potential problems businesses face, he shared demos and the processes required to launch an attack to show the issues companies deal with clearly.
According to Bargury, Microsoft's team contacted him before his DefCon talk. It informed him that business network managers could limit access to Power Automate services by "adding a registry entry" to their devices. By following this procedure, account types that would be able to sign in to Power Automate would be subject to regulation, lowering the risk of system manipulation. The move, according to Bargury, depends on security teams having comprehensive and understandable policies throughout their enterprises, which isn't always the case.
Companies may need to review their policies as the possible risks associated with low-code/no-code applications become more prominent, according to Bargury. You can't expect everything to work out if you give every business user in the company access to features that were, until a few months earlier, solely available to developers.