Security researchers successfully hijacked Windows 11’s Power Automate tool

In a word: Windows 11 includes tools to automate repetitive tasks, which saves users a lot of time. However, a security researcher claims that it can also save hackers a lot of time. Microsoft questions the vulnerability of its automation tools, but as usual in cybersecurity, human complacency may be the weakest link.

A research firm recently published methods for attackers to hijack the automation tools that come with Windows 11 to distribute malware and steal data across networks. The process comes with a few caveats, but marks another area of ​​IT security concern.

The vulnerability is centered on Power Automate, a Microsoft tool packages with Windows 11 which allows users to automate tedious or repetitive requests in various programs. Users can automatically back up files, convert batches of files, move data between programs, and more, optionally automating actions between groups via a cloud.

Power Automate comes with many predefined functions, but users can create new ones by recording their actions, which the tool can then repeat. The program could be widely used as it requires little or no coding knowledge.

Michael Bargury, CTO of security firm Zenity, believes attackers can use Power Automate to deliver malware payloads faster, explaining how in a June Defcon presentation. He published the attack code, called Power Pwn, in August.

Image credit: Windows report

The biggest obstacle to hacking with Power Automate is the fact that an attacker must already have access to someone’s computer or have entered a network through other nefarious methods. Bargury told Wired that if an attacker then creates a Microsoft cloud account with administrative privileges, they can use automated processes to push ransomware or steal authentication tokens. Attacks using Power Automate might be more difficult to detect because it is technically not malware and bears an official Microsoft signature.

Microsoft wrote about a 2020 incident in which attackers used a company’s automation tools against it. Windows 11 and Power Automate didn’t exist at the time, but the case provides a working example of the same fundamental technique.

Microsoft says any fully updated system can defend against such threats, and networks can isolate compromised systems with registry entries. However, these safeguards, like all others, require caution that users and companies do not always exercise.

Comments are closed.