Security researchers announced that Windows Safe Mode is not as safe as it is believed to be, considering the feature to have a “significant risk”. However, Microsoft is informed of the issue but still Microsoft has not acted on it as it does not consider this to be a "valid vulnerability".
CyberArk security researchers have also said that Windows 10 is not immune to such exploits, despite the presence of Microsoft's Virtual Secure Module (VSM). The researchers also explored the various attack scenarios that could be used by hackers leveraging Windows Safe Mode. Alarmingly, the vulnerabilities outlined by the firm can also convert infected endpoints into "launching points" for future attacks, essentially providing hackers with "more machines on which they can re-use these same attack techniques to ultimately compromise the entire Windows environment".
The method of this attack was rated by the researchers as a method that is not common, and focuses attention on a tool used to fix the problems on your PC and remove security threats. Researchers also cited that they have created a number of proof of concept attacks that take advantage of Windows Safe Mode tool as an attack vector.
Also Read: How to Control your Friend PC without installing Any Software in Window 10 from RDP
According to the security researchers, for a successful attack, the attacker will need to first gain access to the local administrator privileges on a computer or server running Windows. Then an attacker could remotely activate the safe mode to bypass the protection.
The reason the attack works is because Windows allows applications to prompt the user to restart the PC, and secretly force the restart in Safe Mode. Safe Mode is important to an attacker because it prevents all third-party software from starting, including antivirus systems.
When the computer reboots in Safe Mode, an attacker could alter registry keys for applications such as antivirus and anti-malware toolkits, which are hands off in Normal Mode and would trigger a security alert.
An attacker with a foothold on an infected system could leverage this technique to disable antivirus software for good and make sure his presence remains undetected until he finishes whatever malicious tasks he wants to carry out.
Special tools are needed for this attack. Normally, an attacker would use registry keys to load these tools in Normal Mode. Since these aren't allowed in Safe Mode, the attacker would need to disguise them inside malicious services and COM objects.
Also Read: How to Hide/Unhide Any Drive in Windows Using Command Prompt
With all the tools available and loaded, the attacker can then collect NTLM password hashes for nearby PCs, for which tools exist to reverse them back to their cleartext versions. This data can then be passed to the attacker, and used to escalate access to nearby systems when the PC returns to Normal Mode.
Additionally, this same attack can be used to steal credentials for the current PC as well. A typical attack relies on rebooting the PC in Safe Mode, showing a login prompt, logging the credentials, and then rebooting the PC in Normal Mode.
Furthermore, the information security company CyberArk researchers confirmed that they have notified Microsoft about the issues. However, the tech giant Microsoft still not acted on it, as it does not consider this to be a “valid vulnerability”, which actually “requires an attacker to have already compromised the machine”.
CyberArk security researchers have also said that Windows 10 is not immune to such exploits, despite the presence of Microsoft's Virtual Secure Module (VSM). The researchers also explored the various attack scenarios that could be used by hackers leveraging Windows Safe Mode. Alarmingly, the vulnerabilities outlined by the firm can also convert infected endpoints into "launching points" for future attacks, essentially providing hackers with "more machines on which they can re-use these same attack techniques to ultimately compromise the entire Windows environment".
The method of this attack was rated by the researchers as a method that is not common, and focuses attention on a tool used to fix the problems on your PC and remove security threats. Researchers also cited that they have created a number of proof of concept attacks that take advantage of Windows Safe Mode tool as an attack vector.
Also Read: How to Control your Friend PC without installing Any Software in Window 10 from RDP
According to the security researchers, for a successful attack, the attacker will need to first gain access to the local administrator privileges on a computer or server running Windows. Then an attacker could remotely activate the safe mode to bypass the protection.
The reason the attack works is because Windows allows applications to prompt the user to restart the PC, and secretly force the restart in Safe Mode. Safe Mode is important to an attacker because it prevents all third-party software from starting, including antivirus systems.
When the computer reboots in Safe Mode, an attacker could alter registry keys for applications such as antivirus and anti-malware toolkits, which are hands off in Normal Mode and would trigger a security alert.
An attacker with a foothold on an infected system could leverage this technique to disable antivirus software for good and make sure his presence remains undetected until he finishes whatever malicious tasks he wants to carry out.
Special tools are needed for this attack. Normally, an attacker would use registry keys to load these tools in Normal Mode. Since these aren't allowed in Safe Mode, the attacker would need to disguise them inside malicious services and COM objects.
Also Read: How to Hide/Unhide Any Drive in Windows Using Command Prompt
With all the tools available and loaded, the attacker can then collect NTLM password hashes for nearby PCs, for which tools exist to reverse them back to their cleartext versions. This data can then be passed to the attacker, and used to escalate access to nearby systems when the PC returns to Normal Mode.
Additionally, this same attack can be used to steal credentials for the current PC as well. A typical attack relies on rebooting the PC in Safe Mode, showing a login prompt, logging the credentials, and then rebooting the PC in Normal Mode.
Furthermore, the information security company CyberArk researchers confirmed that they have notified Microsoft about the issues. However, the tech giant Microsoft still not acted on it, as it does not consider this to be a “valid vulnerability”, which actually “requires an attacker to have already compromised the machine”.
Hackers can use Windows Safe Mode to secretly steal PC login
Reviewed by Tech Ugly
on
Monday, September 19, 2016
Rating:
Reviewed by Tech Ugly
on
Monday, September 19, 2016
Rating:
No comments: