NetSPI Finds a Power Platform Vulnerability. 4 Things to Do About It

Recent research from penetration testing company NetSPI found that Azure on-premises data gateways allow Power Platform and Power BI to access customer resources and databases. Threat researchers found that these gateways can communicate with Power Platform through an Azure service called Azure Relay (previously known as Azure Service Bus).

The researchers at NetSPI created a malicious on-premises gateway and were able to establish communication between that gateway and Power Platform. Through the malicious gateway, they were able to craft a remote code execution payload that could compromise cross-tenant Power Platform connector infrastructure. If left unresolved, the compromised infrastructure could have let attackers gain access to other Power Platform tenants and wreak havoc. The underlying danger is that once inside, bad actors could gain access to sensitive data and hundreds of secrets.

The good news is that there are no immediate action items required from Microsoft customers as Microsoft has resolved the serialization issue that led to this vulnerability. However, there are a few key findings that we wanted to point out with four key takeaways that all security teams should account for, as this research identifies that we still have a long way to go in terms of securing all things low-code/no-code.

Why this is important

Organizations big and small increasingly rely on low-code / no-code development platforms, like Microsoft Power BI and Power Platform, to create applications, workflows, automations, and more. However, in doing so, these platforms inherently house sensitive and corporate data, and attackers are always lurking. Conventional wisdom tells us that attackers will seek out the weak links in order to gain access to the environment, and low-code / no-code platforms present huge attack surfaces. Within these platforms, applications can be built in a matter of minutes without any code or development skills necessary and oftentimes lack security controls and guardrails.

In this case, the Power Platform environment was left open and enabled attackers to use Power Platform to communicate with a fake gateway to intercept data or trigger any number of malicious activities. From the compromised host, hackers could have gained full access to multi-tenant data and secrets.

It speaks to a larger issue that these platforms can expose businesses to such risk, but the downriver effect is also worth noting. With macroeconomic headwinds and an ever present shortage in development talent, organizations are increasingly relying on low-code development to get things done. As such, they need to be able to trust these platforms as well as the people using them, safely, every day.

What can be done

There is no one thing that can be pinpointed that could have prevented this issue, as well as any others that arise in the future. However, there are a few basic tenets that security teams should keep in mind. Here are four things that we recommend all customers take into consideration and enact, wherever possible.

1. Ensure that any on-premises gateways are inventoried and monitored by the security teams. Any data that comes in and out of these gateways should also always be monitored and tracked for anomalies.
2. Restrict administrative access to on-prem gateways following the principle of least privilege. As with anything, ensuring that the minimum amount of access is provided at all points is paramount for security. By enforcing least privilege, and limiting who can install and/or modify on-prem gateways, security teams can be sure that administrative access to these gateways is only provided to those that absolutely need it to perform their jobs.
3. Assume breach and always stay vigilant for potential weak spots in the attack chain. Security teams typically put great controls on professional application developers, but there is much less guidance and governance for less technical folks. This is slightly ironic, considering these citizen developers are less technical and will need more help in keeping their builds secure.
4. Gain visibility throughout the network of how the various low-code / no-code development platforms are being used. Beyond rigorously testing the platforms themselves, the various applications, workflows, integrations, and connections that are built need to be continuously monitored to ensure that they are only being used by the people they are designed for, that they have strong authentication, and they are not at risk for data leakage.

While the investigation is still ongoing, everyone should continue to monitor the story and stay vigilant. We will publish any findings and information as soon as it becomes available. In the meantime, if you have questions about how you can secure the outputs of these low-code / no-code development platforms, feel free to get in touch with us!