Windows Safe Mode attack could put your passwords at risk
Because it allows only the essential elements of the Windows operating system to run, Safe Mode is a useful tool for diagnosing and fixing problems. But according to researchers at CyberArk Labs it could also be exposing you to risk.
Safe Mode stops a lot of third-party software from running at startup and that can include many security solutions. Attackers who have gained remote access to a machine may therefore be able to reboot it into Safe Mode to launch attacks.
"Sure, the attacker can arbitrarily force a restart, but this will likely look suspicious to the user and prompt a phone call to the IT team," says CyberArk researcher Doron Naim writing on the company's blog. "Instead, to stay under the radar, the attacker can also either wait until the next restart or show the victim an 'update' window with a message that says the PC must be rebooted. This 'update' window can purposely be designed to look like a legitimate Windows pop-up".
By including a malicious service that runs only in Safe Mode in their initial payload or by registering a malicious COM object to run every time explorer.exe executes the attackers can ensure their malware works in Safe Mode. Once there they could capture credentials as the user logs in -- changing the look and feel of the system so that it still appears to be in normal mode.
They could also use previously compromised login details for a pass-the-hash attack against other machines on the network. This would be executed at Safe Mode boot by running a service and then immediately rebooting into normal mode so the user is unaware anything is amiss.
There are steps enterprises can take to reduce the risk. Booting to Safe Mode from normal mode is only present when an attacker can operate with local administrator privileges. By removing local administrator privileges from standard users, organizations can reduce their exposure. Naim also recommends that companies rotate their privileged credentials, employ security tools that work in Safe Mode, and monitor when Safe Mode is used either by setting alerts or checking event logs.
You can find out more about how Safe Mode attacks can work on the CyberArk blog.
Photo Credit: triocean/Shutterstock