The US cyber-security vendor, CyberArk, has recently published a research warning about how Windows Safe Mode can be abused by crooks to launch malicious attacks under the radar.
They alarmed about several scenarios in which the attackers could disable security software or steal PC credentials from nearby workstations.
This, however, is not considered a security vulnerability but a possible attack case which could happen only when the machine has already been compromised and the crooks have managed to gain administration privileges.
Even though for now all the scenarios are hypothetical, there is a real risk, as numerous Windows running PCs are being attacked every day and lots of threats are able to gain their author admin rights.
This Safe Mode attack is achievable because Windows allows apps to make the users restarts their machines and then secretly force them to restart in Safe Mode.
Safe Mode doesn’t allow any third-party programs to start, including anti-virus ones. When the PC is in Safe Mode, the attacker is able to change the registry keys for apps like anti-malware and anti-virus programs, which in Normal Mode would detect a threat.
Crooks, who have already managed to compromise a machine, could use this technique to get rid of AV software and be certain that they would have enough time to finish their malicious activities without being flagged. However, the attackers would still have to trick the victims into rebooting their system into Safe Mode.
When in Safe Mode, most of the malevolent tasks wouldn’t need much time to be finished. Then the machine could reboot in Normal Mode again and this wouldn’t look that suspicious because everybody knows Windows installations procedures restart the PC a couple of times.
Aside from disabling the PC`s security programs, leveraging on this attack, crooks would also be able to collect login credentials from PCs on the same network by utilizing the Pass-the-Hash attack. But for launching such attack, the criminals would require some special tools. Normally, in Normal Mode, the attackers could use registry keys to load these tools. However, since Safe Mode doesn’t allow this, the tools must be hidden inside malicious services and COM objects.
Once the tools are available, the crooks could easily harvest NTLM passwords hashes for nearby computers and then use other tools to reverse them in clear text. With the passwords in clear text, the attacker would be able to escalate access to nearby systems when the PC returns to Normal Mode.
This attack can be used against the current PC as well. It requires rebooting the computer in Safe Mode, showing a login prompt, logging the credentials, and then rebooting the PC back in Normal Mode.
CyberArk, of course, has informed Microsoft about this issue, but since this is not a security flaw and requires a previous infection, they said there is nothing they can do about it. It would be best for all users to avoid out-of-the-blue Safe Mode reboot prompts.