Windows Safe Mode can be leveraged to carry out malicious attacks that are undetected

Researchers at CyberArk Labs, a US cyber-security vendor, have recently discovered that the hackers can use the Windows diagnostic feature Safe Mode, which is built into all Windows Operating Systems (OS) on both PCs and servers, as a remote attack vector. The hackers can influence Windows Safe Mode to expose credentials and gain further access to a PC or Windows Servers.

In order to execute the attack, the attacker needs to gain local administrative rights to the PC or server. Once they get the access, they can modify the registry to force a reboot into Safe Mode. They could then create attack tools that run in Safe Mode.

According to an upcoming blog post outlining its research, CyberArk wrote:

“Once attackers break through the perimeter and gain local administrator privileges on an infected Windows-based machine, they can remotely activate Safe Mode to bypass and manipulate endpoint security measures.”

The researchers said that the use of Safe Mode is ideal for attackers, as they are able to freely run tools to harvest credentials and laterally move to connected systems – all while remaining undetected. Despite the presence of the Microsoft’s Virtual Secure Module (VSM), this exploit can also work in Windows 10.

“Safe Mode, by design, does not boot any software or drivers that are not critical to the operation of Windows. As a result, by remotely forcing a reboot in Safe Mode, attackers inside a compromised system are able to operate freely, as most endpoint defenses are not enabled,” CyberArk researchers said.

Researchers at CyberArk Labs say they have developed several proof-of-concept attacks using the Windows Safe Mode tool as an attack vector. Using a COM object technique, a fake login screen can be displayed to imitate a normal boot and disguise Safe Mode. Users who then type in their credentials presuming it to be a normal reboot hand over their logins to attackers.

“Attackers can register a malicious COM object that is loaded by explorer.exe. This enables that attacker’s code to run each time the explorer.exe needs to parse icons,” CyberArk describes.

With these tools in place, the attacker’s malicious code will automatically run during a reboot sequence or the next time the victim restarts their PC, according to CyberArk.

By misusing these weaknesses, attackers can turn infected endpoints into launching points for pass-the-hash attacks, which can provide attackers with access to more machines on which they can re-use these same attack methods to eventually compromise the entire Windows environment.

Once an attacker has booted a machine into Safe Mode, they can access registry keys and make changes to the configurations to disable or influence endpoint security solutions, which would allow them to run their attack tools in Normal Mode without activating any alarms for violating security rules.

This attack was discovered by the researchers back in February who even reported it to the Microsoft Security Response Center. However, Microsoft will not fix the attack vector since it depends on hackers already having access to a Windows machine.