Low Code High Risk - Enterprise Domination via Low Code Abuse
This is a modal window.
The media could not be loaded, either because the server or network failed or because the format is not supported.
Formal Metadata
| Title |
| |
| Title of Series | ||
| Number of Parts | 85 | |
| Author | ||
| Contributors | ||
| License | CC Attribution 3.0 Unported: You are free to use, adapt and copy, distribute and transmit the work or content in adapted or unchanged form for any legal purpose as long as the work is attributed to the author in the manner specified by the author or licensor. | |
| Identifiers | 10.5446/62229 (DOI) | |
| Publisher | ||
| Release Date | ||
| Language |
Content Metadata
| Subject Area | ||
| Genre | ||
| Abstract |
|
DEF CON 3082 / 85
24
28
29
47
51
53
59
60
62
70
72
75
80
84
85
00:00
Menu (computing)Enterprise architectureCodeFocus (optics)Computer animation
00:53
Information securityPoint cloudPerspective (visual)CodePlane (geometry)Computer fontAdditionMultiplication signTwitterMereologyInternet der Dinge2 (number)Point cloudCASE <Informatik>Information securityEnterprise architectureComputing platformSpacetimePerspective (visual)EntropiecodierungSelf-organizationComputer animation
02:55
CodeTime evolutionProduct (business)Mobile appMobile WebEnterprise architectureSystem programmingSoftware as a serviceMultiplication signMereologyEnterprise architectureCASE <Informatik>Data storage deviceEntropiecodierungInformation securityKeyboard shortcutService (economics)SoftwareInterface (computing)Axiom of choiceMacro (computer science)EmailComputing platformCartesian coordinate systemPoint cloud10 (number)Computing platformIdentity managementSelf-organizationBuildingPower (physics)Hacker (term)Moment (mathematics)Web pageGame controllerOffice suiteDrop (liquid)Drag (physics)Computer animation
06:33
GEDCOMAuthenticationDemosceneToken ringInformationFacebookGoogolCompilerSQL ServerDependent and independent variablesEmailService (economics)Group actionSoftware as a serviceRight angleMultiplication signEncryptionAuthenticationComputing platformTrailPower (physics)CuboidOrder (biology)Token ringComputer clusterFunctional (mathematics)MereologyConnected spacePerspective (visual)10 (number)Operator (mathematics)Cartesian coordinate systemSoftwareWindowIdentity managementShared memoryDefault (computer science)DataflowQuicksortRevision controlRoutingHacker (term)RootDifferent (Kate Ryan album)Information securityIntegrated development environmentEntropiecodierungEnterprise architectureComputing platformSelf-organizationBusiness modelPoint (geometry)Office suiteServer (computing)WebsiteComputer fileElectronic mailing listGastropod shellAutomationScheduling (computing)Computer animation
13:02
RootComputing platformEmailVirtual machineService (economics)MalwareLink (knot theory)Metropolitan area networkDependent and independent variablesE-learningEvent horizonEntropiecodierungCartesian coordinate systemSoftwareEntire functionData storage deviceToken ringComputing platformDomain nameMereologyOrder (biology)Power (physics)Point cloudPort scannerConnected spaceSoftware as a serviceIdentity managementTable (information)Line (geometry)EmailDifferent (Kate Ryan album)Functional (mathematics)WindowWeb browserLatent heatLink (knot theory)Content (media)QuicksortElectronic mailing listMaterialization (paranormal)Multiplication signConnectivity (graph theory)Self-organizationGoodness of fitComputing platformWrapper (data mining)Computer wormGastropod shellSingle-precision floating-point formatLocal ringConfiguration spaceShared memoryComputer animation
19:31
Cartesian coordinate systemWindowGame theorySelf-organizationShared memoryHacker (term)Operator (mathematics)MereologyOrder (biology)Identity managementConnected spaceMultilaterationEmailSystem administratorLink (knot theory)Power (physics)FlagKey (cryptography)Computer animation
21:25
MereologyComputing platformEntropiecodierungSelf-organizationComputer animation
21:56
Machine codeHacker (term)BlogComputing platformComputer fileCore dumpBroadcast programmingEncryptionWritingDrop (liquid)Group actionPower (physics)Data managementConvex hullElectronic mailing listComputer wormConnected spaceDataflowLatent heatAttribute grammarOrder (biology)Term (mathematics)Group actionPower (physics)Multiplication signSingle-precision floating-point formatInformation securityWebsiteComputing platformEntire functionComputing platformComputer fileSoftwareRandomizationDatabaseTwitterElectronic mailing listRevision controlLoginMereologyCovering spacePoint cloudRemote procedure callInformationCartesian coordinate systemDependent and independent variables1 (number)Hacker (term)Domain nameSlide rulePoint (geometry)EntropiecodierungComputer animation
29:29
Revision controlCommon Language InfrastructureControl flowFactory (trading post)BlogWrapper (data mining)Backdoor (computing)Electronic program guideOrder (biology)Power (physics)Computing platformVector spaceComputer animation
30:46
Default (computer science)Sheaf (mathematics)Operator (mathematics)Computing platformEntropiecodierungDifferent (Kate Ryan album)Hacker (term)QuicksortSelf-organizationSoftware developerRight angleCartesian coordinate systemComputer animation
32:06
Web portalPower (physics)Web pageComputing platformInstance (computer science)Sign (mathematics)Default (computer science)Mobile appStandard deviationCommunications protocolAccess SQLTable (information)Uniform resource locatorMortality rateBlogLeakVariable (mathematics)Token ringSimultaneous localization and mappingScale (map)Computer-generated imageryVideoconferencingVulnerability (computing)Key (cryptography)AuthenticationEmailEvent horizonElectronic mailing listData storage deviceMachine codeClient (computing)CodeInformationGroup actionString (computer science)Query languageConvex hullMaxima and minimaError messageDatenverknüpfungCryptographyZoom lensAdditionEnterprise architecturePlane (geometry)Information securitySystem identificationInstallation artBackdoor (computing)Self-organizationConfiguration spaceProxy serverDatabaseDefault (computer science)Cartesian coordinate systemObject (grammar)Service (economics)Computing platformPower (physics)AuthenticationToken ringForm (programming)MereologyData storage deviceCASE <Informatik>Enumerated typeQuicksortWeb portalFocus (optics)Error messageElectronic mailing listEnterprise architectureState of matterInformation securityComputing platformPasswordElectronic program guideMultilaterationHacker (term)Ubiquitous computingPredictabilityBlock (periodic table)Drop (liquid)WebsiteBackdoor (computing)Configuration spaceInformationRow (database)Integrated development environmentFlagProxy serverOrder (biology)SpacetimeConnected spaceNumbering schemeSelf-organizationGlobale BeleuchtungDomain nameStandard deviationMultiplication signEntropiecodierungSensitivity analysisEstimatorVariable (mathematics)
40:00
Computer animation
Transcript: English(auto-generated)
00:00
Yeah, so please join me in welcoming Michael Bargary for Low-Code High-Risk Enterprise Domination via Low-Code Abuse. Hi, everyone.
00:20
So first of all, thank you for staying. This is a difficult time, but we're going to have some fun today. So this talk is going to focus on how do we take low-code, which is kind of technology that are about enabling users, users to build their own things, and seeing how attackers
00:41
are using that to basically own the enterprise. And this entire talk is based on attacks that we've observed in the wild that we are going to recreate today. My name is Michael. I've been doing security for a long time now. I spent a few years at Microsoft on IoT and APIs and cloud.
01:03
If you've seen my first talk this morning, so thank you again for coming, and I hope I don't bore you. Other than that, I've started a company called Zenity a year and a half ago. We're focused on low-code, no-code security.
01:21
That's how we got to observe this space. And this entire research is going to be, is featuring research from Real Zilberberg, which is sitting right here, so give him some love. Thank you. And I'm really excited to be here, my first DEF CON, so it's been really amazing.
01:41
A short disclaimer, this talk gives an attacker perspective on low-code, but of course, we are all for low-code development. The trend of low-code is really cool, providing users the ability to build stuff on their own, but it's important to do it securely, so that's why we are giving this talk.
02:00
Here's what we're going to do today. We'll start off with making sure we all understand what low-code is. We'll then dive into attacks that we've observed in the world on low-code platforms. We'll start with a living off the land attack, so cases where attackers are using low-code to basically do whatever they want inside the enterprise.
02:22
The second part would be, how do you remain persistent? How do you establish persistency through low-code platforms? Then we'll go to predictable misconfigurations and how those are abused outside in scanning. We'll finish off with two things. One is you'll have a couple more tools in your relative arsenal to play around with,
02:45
and the second thing is how to protect your organization, so we'll go through that as well. Let's start. Low-code is really all about empowering of business users. The idea is basically business users are tired of waiting for IT.
03:03
They want to solve their own things, their own problems, and so they have these drag-and-drop interfaces which allow them to create applications and automations, and the crucial piece here is that it's built on top of platforms that you already know, and we'll see that in a moment. If this idea of enabling business users to build their own things sounds familiar, there's
03:24
a long history behind it, so there were software that allowed you to record your keyboard and your mouse and then reiterate that for automation. There are macros which are, of course, our close friends, and there's low-code now
03:42
that it is on the same axis. People are building all kinds of things with it, so if this, then that, automation, for example, every time I get an email with an attachment, store that attachment in Google Drive, applications like handling receipts or onboarding and onboarding users, there's
04:08
really lots and lots of business cases for these kind of applications, and the crucial thing is this is already in all of the enterprises in the world, and it's not because they made the conscious choice to do it, it's because the vendors, the vendors that you're
04:25
seeing up here but also others, have basically built a low-code platform around existing services that they already have. So if you're a Microsoft shop or if you just have Office, every user can build automations and applications based on their own identities within Office, and this is something that
04:43
you already have in your organization today. The same thing applies for Salesforce and ServiceNow and all of the logos that you're seeing here. So this is, by definition, also already inside your org and touching business data. So here's a very quick recap on what low-code is.
05:02
We've seen that it's, we've discussed that it's available in every major enterprise. Actually, what we're seeing is that in every organization that we are starting to work with, there are tens of thousands of these applications, and these are not exaggerated in numbers, tens of thousands of applications being built by business users. People in IT, people in HR, they're all building their own things, and you will see in a moment
05:22
that it takes just a couple of minutes. We've seen that this, by definition, has access to business data or powers business processes because that's what it's meant for, and it runs as SaaS, which is important because all of the controls that you're used to, well, they're not there.
05:41
This runs on the vendor's cloud, so on Microsoft's cloud, on Salesforce cloud. And the last piece is that this is vastly underrated by IT and security teams. So people have started noticing this area, but there's a lot more to go there. So that was the recap. That was the kind of figuring out, making sure we're all on the same page on what low
06:04
code is. The next part is observing attacks, and before we are going to, and by the way, this part will be heavily focused on Microsoft Power Platform, which is built around Office, simply because many people are using it. It's very successful, and so hackers are using it as well.
06:20
Before we start figuring out how our hackers live off the land of low code, no code, and specifically power platform, let's just make sure that we all understand how this looks like. So this is going to be a very quick example, and let me play while I explain. Basically, this is a very simple automation.
06:42
It's going to be built in a couple of minutes. This automation does one thing. When I'm in Slack and somebody mentions me on a common channel, it's very annoying because I always have to respond quickly because it's in a common channel and everybody's seeing. So this automation, every time that somebody mentions me, it changes my status as if I'm
07:03
on a call, then that person could figure out that I'm not available right now. And then, of course, it moves me back to a status that is clear, so nobody will suspect anything. And you're seeing that in order to build this automation, I'm dragging and dropping.
07:22
I'm going through select boxes. These are things that everybody can do, and that's the power of this technology. That's also the risk. One of the key parts to notice here, and I'm going to stop it somewhere along the way, is the fact that you haven't seen any sort of authentication. Keep in mind, this is Zapier, one of those platforms, going out to Slack with my own
07:46
identity and changing stuff. But you haven't seen any window pop up. You haven't seen any overflow. So how exactly does this happen? This is very important in order to understand how attacks are being made on those platforms.
08:02
So here's a step-by-step of what happens when you create a new automation with low code. The first step is that you pick from a list of lots and lots of applications. Those could be SaaS applications, on-prem connectors. Those are basically hundreds and hundreds of connectors that are being provided by the platform
08:22
themselves to connect wherever you'd like. The second thing is that there is this all-of-consent flow that basically allows the application to operate on your behalf as a user. But notice the last part, and specifically the share button. So something is going on here, right?
08:42
There's an application. It logs in on a user's behalf to Slack, and then somehow it's able to share that user's authentication with Slack with other users. So the next thing we're going to try and figure out is how does this work. So on one side we have Zapier or Power Automate or other automation tools that are part of
09:06
low code, and on the other side we have Slack, and again the idea is to figure out how does this authentication work, and especially how does connection sharing work. So here's how they do it. Instead of going through the usual route of kind of RBAC and asking for permissions
09:23
for each user separately, they simply copy the refresh tokens and then replay them. So you do the consent flow for Slack, Power Automate will store your refresh token, and then you can share that refresh token with other users through Power Automate.
09:42
Now of course from Slack's perspective or from a network security perspective, there's no sharing here, right? It's the user. The user is always the one that's doing the operations. It doesn't matter if an application is using it, if other users are using it. This is a crucial point. These applications are basically blocking, are basically breaking the permission model
10:03
that we're used to in SaaS and in connectivity between applications. Okay. Now that we've figured that out, let's see what attackers are doing with it. So the first thing that we need to understand is that because lots of, you've seen how easy it is to create these applications, and lots more people can create these applications,
10:25
that means that you get lots and lots and lots of applications. These are all examples from the marketplaces of the different vendors, and you can, maybe you can see the numbers, it might be too small, but there are hundreds of thousands of those being deployed, and again, we see that in enterprise all of the time.
10:41
And the important thing here is actually the logos, because behind every logo in these processes, there's data, there's connection to data, or there's the ability to do all sorts of operation. So behind every one of those applications, those tens of thousands of applications within enterprises, there's a trail of connections, a trail of connections that can be shared with other users.
11:04
And actually, it's not only that it can be shared, in many cases, that's the default. So if you'll see, if you look at Microsoft Power Platform, for example, if you look at Zapier, or other platforms as well, they all have a notion of a default environment. Some place where you create an application,
11:22
and you don't think about it, the connection will go there, and other users can just pick it up and use it. So those are examples of the default environment from different vendors. Again, this is not a problem with one platform, this is a basic concept of how this technology works. And so every platform has their own version
11:41
of this default environment, and when you have access to this default environment, you get access to tons and tons of connections across the organization. And I'm talking about, from what we've seen, SQL servers with root accounts, users, the user's own identities to Office and to Slack, FTP connections, all of the things that you could think about
12:03
that users are using these platforms for. So what we're seeing hackers do very easily is once they get into an enterprise, once they find at least one user's account and they are able to log into their SaaS, they can very easily escalate their privileges. It's already there, it's built in.
12:23
So that's really, really, really simple. But the next thing that they'll do is that they'll use these connections that are part of the platform, and they do a bunch of things with it. So here's an example of a ransomware attack, and again, these are all attacks that we've observed and recreated. So in this example, I'm going through a SharePoint site
12:43
on a schedule, and I'm simply encrypting every file on that SharePoint with the comfortably provided encryption function within Power Automate Microsoft's platform. So again, ransomware here is just really, really easy, and this is ransomware without installing any agents,
13:03
without going through the network. This is all on the SaaS cloud. The other thing that we're seeing people do is export their data outside of the organization. This is a crucial piece. There's a bunch of, so when you think about how do we protect from data leakage,
13:21
we can go at it through the network, we can try and scan storage accounts and cloud accounts, but because these platforms, they mix up identities of different users, and you can also plug in your personal identities, then you don't really have access to scan everything here. So for example, in this example which we've seen,
13:42
I think in every organization that we're working with, we find what people are doing is in order to send email, a corporate email to their Gmail account, they're simply copying the content instead of forwarding the email. And then really there's nothing you can do outside of the platform to even catch this,
14:01
because remember, this is impersonating the user. It's not going through any sort of approval process. So data exploration is really easy here. We've seen this not only with emails, but with other, you can do it with other things as well so for example, creating a useful application
14:22
and then even by mistake, storing its data in your own personal Dropbox, because you can mix and match these things very easily. So we're seeing this again, multiple times. Another thing you can do, which is actually kind of weird, is that you can jump from the cloud to people's laptops.
14:41
And that's because these platforms have a component that's called RPA, which is about automation on the user side, on the laptop side. We actually had another talk on this earlier today, so the materials are there in the link and you can find it online. But it's very easy once you have access
15:00
to those shared connections, some of those shared connections are actually privileges to execute something, a payload, on a user's machine. And then you can just pick it up and use it. Again, the same thing that we've seen for lateral movement. So as you can see, there's a lot of risk in these over-shared connections, which are,
15:21
again, recall these are wrappers around authentication, refresh tokens. This means that from the outside, you won't be able to figure out that there has been a share. So that's one user that's simply reusing that connection again and again. In order to make it easy for us and for you as well to figure out
15:41
whether this happens within your organization and to plug it into part of your red team arsenal, we've built a small tool that basically allows you to plug in a user and get a table with all of the different connections that that user has access to, which users those connections belong to.
16:01
So that's all available very quickly. You'll see that tool, it's less than 100 lines of code. It's very, very, very easy. So feel free to use it and play around with it. The next piece I want to talk about is how do we make, so let's say
16:20
that we got into an organization and we're seeing those shared connections, but we want more. We want to find, we want to entice users to create those connections. And we want to own a specific user identity, for example. What we can do here is we can set up a bait application that basically asks for, for example, your email connection with a good reason for that.
16:43
But then we can use that email connection while the user is connected to do whatever we want. Of course, this is not special to low-code applications. Every application can do that. The simple, the key thing here is that somebody from HR can create this application, somebody from finance. So there's a very, there's a much lower bar
17:03
to create these applications. And there's also another crucial piece here. This is all run on the vendor's SaaS product. So for example, in the example that I'm gonna show you, it's about Power Platform, Microsoft's local platform. The application will end up in a microsoft.com domain.
17:21
So users will trust it, why not? So let's see how it works. So while this is running, what I'm going to do is I'm picking an application from the template list. I'm specifically taking an application that is about creating an out-of-office. So you go into the application,
17:42
you give it access to your email, and it will decline emails for you. You've seen briefly that I needed to create those connections to click Allow. We'll see it again shortly. So you see I'm picking a date, and then I can have, I can configure a few things, and the application will do everything for me. And this is a useful application.
18:01
I didn't create it, I just picked it off the marketplace. What we're going to do is take this useful application and abuse it for our own needs. So I'm hitting the Edit button here, and I'm going to do a very simple thing. I'm going to use the user's email while it is connected to send myself an email saying, hi, I've been pwned. Now of course, I could have done other things here,
18:23
but the important thing to note is how simple it is. So it's a single line of code to reuse that user's connection to do anything we'd like, and the user don't really have a way to know what's happening here.
18:42
Okay, so while it takes me a lot of time to type, the next thing that's going to happen here is that I'm going to save the application. And by the way, when I click Save, it's already deployed, so there's no deployment process here. And then I'm going to share it, and I'm going to share it with the entire org because that's a function that's available here, so why not?
19:03
Once I create this shell, Microsoft provides me with a nice link for my application. So I'm going to copy that link, and now I'm in another user, and I'm going to plug in that link on the browser, and let's see what happens. First of all, I get this window that's asking me to use my credentials,
19:21
and it was asking me for two things for my account to Office and for my calendar. And of course, while I click Allow and I use the application, very quickly I get the email that I've been pwned. So we've seen how easy it is to do it,
19:41
but there's one key thing to understand about this example, and that is this window, okay? This window is what allowed the application to take over the user's identity, and as you can see, this is not the usual OAuth window that you're used to. It's not telling you, hey, these are the operations I'm going to use,
20:01
so you'll know that other operations are being created. No, this window is about sharing the connection, the connection that we saw earlier. And so the only thing that gave the user a hint that I might be able to steal their identity is this window, and so naturally, we want to figure out a way
20:22
to remove this window. Note that if I'm able to do that, I have a link on microsoft.com, and if I'll share it with anybody in the organization and they click it, that's it, that's game over. So thankfully, this is something that's already available.
20:42
This is for Microsoft Docs, so an admin can basically set a flag. That means that this window just goes away, and actually, people are doing this in order to make these applications easier to use. So if you're in an organization that has done this, you might be in big trouble.
21:02
So we have seen multiple ways in which hackers are leaving off the land. Specifically, we've seen things about Microsoft Power Platform, and we've seen it about Zapier. We've seen lateral movement, privilege escalation, and ransomware account takeover, and these were all drag and drop, very simple, very easy to use.
21:22
The next part that I'm going to talk about is how do we stay there? So this has been, as you can see, there are a ton of things that you can do once you get into those local platforms, and the next part is how do we make sure
21:42
that we remain persistent within those platforms? But actually, it's more than within those platforms, it's to remain persistent in an organization, because again, if I'm there, I can use the connections and continue on from there. We are actually not going to invent anything here. This has been done by an APT group about two years ago.
22:04
So what happened here, and if you follow the link, you'll see all of the sources. Basically, this is live from Microsoft detection and response team, where an APT group was able to stay hidden within an enterprise. They knew that they got hacked, and they were looking to find the hackers,
22:21
and it took them six months to find that there was a single automation on Power Platform that did a very simple thing. It used eDiscovery to go out and find secrets and find business data in email, in Outlook, in SharePoint,
22:40
and then just send it off to random endpoint. And nobody was looking for it. You don't really have a network appliance looking at what Microsoft is doing, and so this took a long time to find. So what we're going to do now is recreate that and see exactly how it works.
23:00
Here's the first version. So on a schedule, I'm gonna go through all of the files in a single SharePoint site. I'm going to encrypt them, send them over to random endpoint, for example, Paste Bin, and I'm gonna tweet about it because why not? I mean, nobody will find me anyway. You can also apply this to on-prem. You can plug in any one of the connections
23:21
that we saw before. So this is actually exactly what the attackers have done. Now let's take it a step further. So instead of starting with a schedule, let's plug in an HTTP endpoint that you can just call from the outside, and in this example, what it's going to do is encrypt an entire Google Drive.
23:43
Again, why not? So this is basically encryption run somewhere for a specific Google Drive that is available through an HTTP endpoint outside of the org. But actually, I've mentioned that this part of the talk is about persistency. This is just a very small part of what we need
24:01
in order to remain persistent, so here's a laundry list. Of course, this is not everything, but there are a few things that we need to be able to do. We need to be able to run code remotely. We want to be able to run arbitrary payloads, not just a fixed list of payloads that we've described earlier. We want to maintain access, even if the user that created,
24:22
that gave us the initial access, gets blocked or removed or whatever. We want to make sure that we avoid detection and attribution, and of course, leave no logs behind. So let's see how we can do that. We've already seen a first version of persistency because there's this HTTP endpoint. Let's try and figure out what does it cover
24:41
from our laundry list. So I'm able to execute things remotely. That's pretty obvious, that's an HTTP endpoint. This is definitely not an arbitrary payload. This is a specific payload that I've created, and that's the only one that I'm going to be able to run. In terms of maintaining access,
25:01
that's covered here because all of the, because that HTTP endpoint comes built in with a secret, so we don't need to be authenticated in order to call that HTTP endpoint. Again, something that is the same in every local platform that we've observed. And so I can very easily just call that endpoint and that's all the access I need.
25:20
Avoiding detection is, again, very easy because it's somebody else's cloud. You have no security controls there. Avoiding attribution is also very easy because that's an endpoint. You can call it from wherever. They're not blocking tour or anything like that, so just go ahead. And in terms of logs, not really.
25:42
We're kind of in a problem here. Those automations generate a ton of logs. So I'm talking about every single piece of information that goes through those automations is actually being logged there, including the data itself. So we need to figure out how do we tackle those two points, the arbitrary payloads and the logs.
26:03
Here's one attempt. We're just gonna have a single endpoint, but this time we will implement a whole bunch of payloads. So there we can think in advance about the payloads that we would like to execute. So one of them is leaking an entire SharePoint site. Another is encrypting an entire SharePoint site,
26:21
executing a SQL on a random database. All of those things are available through a single endpoint. Actually, I didn't have, there's no advancement here. Still no arbitrary payloads, and I really haven't touched the log thing. So let's see how both of these things can get solved.
26:43
And for that, I'm gonna use a very useful piece of software from those local platforms, which is the fact that the local platforms themselves provide a way for you to manage them through low-code.
27:00
So you can use low-code to create new low-code applications. You can trigger them, you can delete them. And so I'm sure you'll see where I'm going with this, but I'm gonna take you through it anyways. Here's what we're gonna do. So I'm going to show you exactly how I cover both logs and the payloads.
27:22
This is already out there, so you can go ahead and use it. And this tool basically allows you to install this backdoor inside of an organization, and then you remain persistent. Here's how it works. I have a single endpoint, an HTTP endpoint, and instead of running a specific payload,
27:43
it's running a payload that's creating a new payload. So I'm passing through the definition of the automation, which connections it should use, and then what this automation does is creates that new automation and triggers it. I actually need more than that,
28:02
so there are three different things that this covers. One is creating the automation, the other is deleting the automation, and then another crucial piece is just listing those credentials, those connections that are laying out there. So we'll always be able to use fresh ones. And of course, this completely covers the general payload,
28:24
so I can just run whatever I want now. The, sorry, one more thing that we need to, one more thing that's covered here, and I haven't actually specifically described it, is because I can delete the flow after I run it,
28:43
all of the logs get deleted as well. So the logs are actually maintained as part of the flow itself. And so by executing the flow and then deleting it, I'm remaining completely, I leave no logs behind. So the only logs that are left
29:00
are the fact that this flow is running, and this can be hidden by basically saying, okay, this flow, don't remember anything about it. Here's the entire flow, the entire automation. So again, one HTTP endpoint, three main commands, create an automation and trigger it,
29:21
get connections so I can create new automations with that new connection, and deleting the automation. Here's the same thing with a Python wrapper that makes it easier for you to use it without going through the UI for Microsoft. So this is kind of small, so let me make sure
29:41
that you understand what's going on here. I plug in the webhook that I got from installing this backdoor on Power Platform, and then I create a flow, I trigger it, and I delete it, all within the comfort of my Python CLI. And this, of course, is all available for you to use right now,
30:00
so I'll describe briefly what this thing, what you need to do in order to use this. Basically, once you have access to Power Platform, you follow a small guide that I have there that's about installing that backdoor that's basically uploading that automation that you just see here, and you get, in response,
30:23
the webhook, and then you can use it. So, and again, keep in mind, this is far more advanced than what we've seen the threat actor actually do, and the basic thing that the threat actor did took defenders to six months to find,
30:42
so I wonder how much this could take. Okay, so we've seen two subsections right now. We've seen how hackers are living off the land of low code to create, to run their own malicious operations based on the local platforms themselves.
31:01
We see now you can stay within these local platforms, remain persistent. The last thing I want to cover is how does this look like from the outside. So, sorry. So both of the sections before started off when I have some sort of access to the platform,
31:21
but actually, there's more going on here. Because business users are creating these applications, there are common misconfigurations that we can find, that we can look for, and that are predictable, that expose business data outside of the organization. And actually, we've seen this with AWS S3 buckets,
31:41
S3 buckets, right, so the default was insecure, every new bucket was public, and then even though they changed the default, we're still finding these public S3 buckets today. And so the same thing applies here, but the key difference is that these are not only developers that are building this,
32:01
these are business users, so there's a lot more of it. We'll see a couple of examples. The first example is Microsoft's Power Pages, which is basically a website that allows you to, it allows unauthenticated users to observe the website.
32:21
This is being used for vendor management, contractors that come into your office, and that's an entire application that you create with drag and drop. Of course, there's a database behind it, there's a bunch of information there that should not be available to the vendors and the contractors. Actually, about a year ago, the team at AppGuard
32:41
found that there was an insecure default there that basically meant that the entire database behind that application was available to anonymous users, and this was the default configuration for about a couple of years. Now, this was a major thing, about 40 million records were exposed
33:01
by AppGuard's estimation, and Microsoft has actually been very quick to change the default, but of course, the default is not everything, so there are still these applications that were created beforehand, and users can always make mistakes. What we wanted to do here is to try and find out how many of these mistakes we can find.
33:22
So, how do we do it? Basically, we're going to scan the internet, looking for portals, these kinds of applications that are exposing business-sensitive data without any authentication, and here's an example, and this is actually a real example from a large financial services company. You can see that by querying the API,
33:42
I get three different objects that I can query. One is the default object. It's not really interesting, it has nothing there. The second thing is an entity form set, which is basically the way to store form submissions, so again, not really interesting, but the third part, global variables, is kind of interesting, and of course,
34:02
when we look into these global variables, what we found was authentication tokens for Azure and for Power Platform that were being used by the application itself, and again, this is available to anonymous users. We browse it through Tor, so very, very, very, and the crucial part here is that it's very easy to find,
34:22
so why is it easy to find? Because it's all in the same subdomain, so every one of those applications is in this subdomain, and the endpoint, the API endpoint, is always the same as well, so of course, we can do subdomain enumeration here. Here's a lazy way to do subdomain enumeration.
34:41
We'll just use Bing, and Bing, because this is Microsoft, so it works, so you're seeing about 60,000 different portals that are available out there, and we have actually been going out to people and trying to help them make sure that they are able to solve this issue.
35:01
Here are examples of what we found, so lots of, woo, nice, lots of PII secrets, API keys, authentication tokens, and lots of business data, so PDFs, pictures of recipes, of receipts, so a whole bunch of business data.
35:22
So again, this was a case where there's a misconfiguration that is very predictable, and it's very easy to scan for it. Let's see another example. This time, we'll focus on Zapier. Zapier is a tool that users, as business users, are bringing into the enterprise themselves,
35:41
and Zapier is, again, an automation tool. You can drag and drop, and you create automations. Zapier has a nice feature called Storage by Zapier. Basically, what this means is that if you need to store some sort of state for your automation, or you need to store secrets for it to operate, then you can use this storage,
36:01
and the way that it's protected is that you need to choose a GUID, some sort of GUID, and then once you plug it in, that's a key value store, you get your secret back. Now, as you can see, I mean, GUIDs are not the best, but it's still kind of difficult to guess. When we've observed the API documentation,
36:22
you can actually see that the example that they provide is secret equals one, two, three, four, five. This is definitely not a GUID. So, we were curious. The first thing that we tried to do is just try a random secret, and that's the error that you're getting,
36:41
if that's not a GUID, but actually, once you go through, what we actually did is we iterated through a list of known passwords, and what we got was that many of those passwords actually worked. So, you're seeing here examples of things that we found. Again, authentication tokens, API keys, emails, phone numbers, and actually,
37:02
what happened here was that, so, up until about two years ago, Zapier was not really making sure that users were using GUIDs. They could use whatever they want, and then they started doing it, but they didn't block the old secrets. So, you can still use them,
37:21
and they are still available. I mean, some of them are available today. We are working with, we have been working with Zapier team to make sure that this is covered, and actually, the vast majority have already been cleaned up. Okay, so we've seen two examples where platforms allow a predictable misconfiguration, and how, from the outside looking in without having any access,
37:42
we can go ahead and access business data. Here's a summary of everything that we've seen up until now. So, we discussed low-code. We understand how it's pervasive in any enterprise, and the fact that it's built around business data. We understand that it's kind of underrated
38:00
by IT and security teams, which make it a great target for attackers. We're seeing our hackers are taking advantage of it, really, kind of all around. So, living off the land of low-code, for lateral movement, for privilege escalation, we've seen everything. We've seen how you can hide within those low-code platforms and use that as a way to persist within an organization, and we've seen how you can use those same platforms
38:23
and the predictable misconfigurations that they create in order to find business data. There are two things, and actually, we've also seen two tools that we've released today. One is for Zapier that allows you to find those connections, those shared connections, and the other is that backdoor
38:41
that you can install on Power Platform. So, the last thing I want to do is leave you with some tips on how you can secure your organization, how you can protect yourself. So, here are specific things that I really recommend you do quickly. The first thing is that you need to review configuration.
39:02
For example, the bypass consent flag from Microsoft, make sure that's off. There's also the usage of those connectors, so make sure that connectors that are administrative, for example, couldn't be shared in a default environment. I recommend that you view those endpoints, those external endpoints that those platforms are creating for you.
39:22
So, again, you don't have to be fully aware of it, but it's already there. The platforms are exposing those endpoints for you, and you have no easy way to monitor them. The number one thing that you should take out of this talk is go through those shared connections. Go to those default environments,
39:40
see what users have built. You'll be surprised. And there's a bunch of more information that you can use here. There's an old school that is dedicated to low-code, no-code that would help you figure out what are the different risks that are around this space. And there's a whole bunch of articles there that could help you. So, thank you everyone for,
40:01
thank you very much for your time. It's been fun.