Security researcher Doron Naim has found an attack that abuses Windows 10's Safe Mode to help hackers steal logins.
The Cyberark man says remote attackers need to have access to a PC before they can spring this trap, which involves rebooting a machine into Safe Mode to take advantage of the lesser security controls offered in that environment.
Once in Safe Mode, logins can be stolen and otherwise with defeated pass-the-hash lateral techniques can be used to compromise other networked machines. A fake login screen can be shown using a COM object technique to emulate a normal boot and cloak Safe Mode. Users who then type in their credentials assuming a normal reboot will hand their logins to attackers. "Once attackers break through the perimeter and gain local administrator privileges on an infected Windows-based machine, they can remotely activate Safe Mode to bypass and manipulate endpoint security measures," Naim says.
"In Safe Mode, the attackers are able to freely run tools to harvest credentials and laterally move to connected systems – all while remaining undetected. This exploit can also work in Windows 10, despite the presence of the Microsoft’s Virtual Secure Module."
Microsoft will not fix the attack vector since it depends on hackers already having access to a Windows machine. However Naim says gaining access to at least one Windows machine in an organisation is easy, and cites a Fireeye study [PDF] which reveals most organisations had recorded falling for targeted phishing attack last year.
Entering Safe Mode avoids a host of security controls including the Virtual Security Module which would otherwise serve to limit the ability for attackers to deploy tools and steal password hashes. "This pattern of credential capture and lateral movement can be reused by an attacker multiple times until an eventual domain compromise in achieved," Naim says.
Attackers can either wait until victims reboot or generate a notice prompting that a reboot is necessary. Security controls can be disabled using the altered conditions under Safe Mode that allow registry keys to be tampered, Naim found. Popular post-exploitation tool Mimikatz in lab tests went undetected when antivirus from Microsoft, Trend Micro, McAfee, and Avira was disabled from safe boot. Naims recommends administrators cycle privileged account credentials to disrupt pass-the-hash attacks, enforce least privilege by stripping local administrator rights, and deploy security tools capable of running in Safe Mode.
110 Reykjavik, Iceland