Windows Safe Mode has been a useful feature for security professionals since its entrance to the market in 1995. While computers and cyber security have changed drastically over these years, it’s still an important tool. With it, you can understand certain issues with a computer or remove malware.
As Safe Mode was designed to be focused on stability and efficiency, third-party software (yes, that includes security tools) are prevented from running. CyberArk Labs recently discovered the serious flaw in this design.
According to CyberArk’s report, after an attacker is able to enter and gain local administrator privileges on an infiltrated computer, they are able to remotely activate Windows Safe Mode to “bypass and manipulate endpoint security measures.”
This attack is a particular vulnerability because attackers are able to turn the corrupted endpoints into points to initiate pass-the-hash attacks. With this, the attackers are able to gain access to more machines and the attack continues in a vicious spiral. “Ultimately,” claims CyberArk, “[it can] compromise the entire Windows environment.”
As people may or may not know, it’s not very difficult to infiltrate a computer’s network to gain access to at least one machine. To prove this point, the article discussed FireEye’s recent report that “84 percent of organizations surveyed admitted to falling victim to at least one spear-phishing attack in 2015.”
After the attacker gains access to the Windows computer, which we see is quite common, they can either work with existing administrative privileges or exploit a method to elevate such privileges.
This is a very common scenario. From here, the attacker search endpoints for credentials that assist them in moving throughout the network. In fact, this is exactly what Microsoft’s VSM, or Virtual Secure Module, was created for. It effectively operates “at the endpoint level to limit the use of attack tools and protect credentials from pass-the-hash attacks.”
The kicker comes in, though, that these tools operate in Normal Mode, not Safe Mode. Because of the essential design of Windows Safe Mode, it “does not boot any software or drivers that are not critical to the operation of Windows.”
So, I think everyone in cybersecurity can see where this is going. Without the protection of VSM or other endpoint defenses, attackers are able to navigate through your machine liberally. Additionally, in Safe Mode attackers are said by CyberArk to be able to “capture credential hashes needed to laterally move through the environment – despite Microsoft’s claims that pass-the-hash risks have been mitigated.”
CyberArk Labs have put together an example exploit so security professionals can understand exactly how this attack can take place, and thus, how to prevent it. They were also sure to point out that this pattern of credential capture and lateral movement can be repeated many times until an eventual domain compromise is achieved.
Their step by step process for exploiting this weakness in Windows Safe Mode is as follows:
1. Move the Operating System into Safe Mode during the next reboot by remotely configuring the machine
In order to accomplish this, BCDEdit can be utilized to make the system boot in Minimal Safe Mode. After the attacker successfully completes this, the computer will boot in Minimal Safe Mode. Minimal Safe Mode is the default Windows Safe Mode boot option; this configuration runs only the drivers and services that are absolutely necessary to starting Windows. It also constricts connections to the Internet and network.
2. Arrange attack tools to load in Safe Mode
As we know, Safe Mode loads only a small set of drivers and tools, so the attackers must find a way to allow their attack tools to run in this mode. CyberArk clarifies that this can be done in a few ways, two of which include Malicious Service and Malicious COM Object.
With Malicious Service, attackers can create a malicious program which loads in Safe Mode and can be included in the attacker’s initial payload. Instead, attackers can “register a malicious COM Object that is loaded by explorer.exe. This enables that attacker’s code to run each time the explorer.exe needs to parse icons.” Interestingly, this does function in Windows Safe Mode.
Accordingly, the malicious code will be in place and automatically run during the next reboot easily avoiding endpoint security measures that are suspended in Minimal Safe Mode. As CyberArk states, “In this state, the attacker is able to freely use his or her tools to steal credentials from LSASS.exe and then reuse those credentials to continue the attack path of lateral movement and privilege escalation.”
3. Forcibly restart the computer, commencing the exploit
This can easily be done in a variety of ways, including directly from the command line in Normal Mode.
But wait! How does the attacker do this without the victim noticing? Sure, the attacker can arbitrarily force a restart, but this will likely look suspicious to the user and prompt a phone call to the IT team. Instead, to stay under the radar, the attacker can also either wait until the next restart or show the victim an “update” window with a message that says the PC must be rebooted. This “update” window can purposely be designed to look like a legitimate Windows pop-up.
Next, depending on the attacker’s goal, there are a few techniques an attacker can use to continue to stay hidden from the victim. Let’s look at the techniques based on the attacker’s goal:
- Credential Theft. If the attacker’s goal is to steal credentials for future use, then the attacker actually wants the user to log on to the system. As the user logs in, the attacker can capture the credentials. In this case, the attacker will likely use the COM object technique to execute code that will change the background, look and feel of Safe Mode – making it appear that the user is still in Normal Mode. As soon as the user enters his or her credentials, a second “update” window can prompt the user to reboot yet again to move the machine back into the actual Normal Mode. Just as mentioned above, this secondary reboot prompt can mimic a legitimate Windows prompt to prevent the user from noticing anything suspicious.
- Lateral Movement. If the attacker’s goal is to perform a pass-the-hash attack using previously compromised credentials, then the attacker does not need the user to login. In this case, the attacker is better off creating a service. At the time of reboot, the service can automatically run code to execute a pass-the-hash attack and then immediately reboot the machine again back into Normal Mode. These back-to-back restarts are indistinguishable to the user, and thus further prevent the user from noticing that something went wrong. Based on tests conducted by CyberArk Labs, we found this technique to be highly effective in stealthily enabling lateral movement.
There’s also yet another way to exploit Windows Safe Mode that was tested against McAfee LiveSafe, Avira Free Antivirus, Trend Micro Maximum Security 10 and Windows Defender.
In this instance, the attacker first must boot the computer into Minimal Safe Mode (Normal Mode and Network Safe Mode can both prevent this type of attack). Then, the attacker has the ability to gain entry to registry keys to change or disable configurations and endpoint security solutions.
Once this is completed, the machine can be rebooted back to Normal Mode and the attacker can proceed without impediments or risk of being blocked.
So, what can we do to fix this?
CyberArk recommends these proactive tips:
- This attack is only able to be completed on computers with local administrator privileges. Therefore, remove these from all standard users.
- Rotate privileged account credentials. Any pass-the-hash attack is not able to be completed unless the credential hash is still valid. Rotating these credentials helps to protect the server by invalidating password hashes regularly.
- Use security tools that are able to operate in Windows Safe Mode, not just Normal Mode.
- Set an alert to tell you when a machine boots in Windows Safe Mode. Additionally, monitor the Windows Event Log (although be aware that the Windows Event log may not be completely trustworthy).
Until a patch is created, be sure to follow these guidelines. If you are quickly made aware of the attack, you can better protect your clients (or yourself!).