If you're trying to removing malware from your system, it's a good idea to boot your Windows system in Safe Mode, or so conventional wisdom has taught us. That's still true, but in an ironic turn of events, security researchers at CyberArk Labs warn that remote attackers who've infiltrated a system can use Safe Mode to more easily maneuver your network and do more harm while remaining undetected.
Safe Mode loads only the bare necessities to boot and run Windows. It's primarily used to troubleshoot issues that arise in a normal Windows environment, be it a buggy driver, conflicting hardware or software, or a stubborn malware infection that you're trying to remove. The technology dates back over two decades before cyber security was really a thing. So just as Safe Mode prevents most malicious third-party software from running, the same is true of non-malicious software, including security tools.
"As a result, cyber attackers on compromised machines can remotely reboot those machines into Safe Mode to disable and evade endpoint defenses and subsequently launch their attacks," CyberArk says. "Given the number of Windows systems in use, this risk impacts billions of PCs an servers globally."
CyberArk says the risk is heightened because it's fairly easy for an attacker to break a company's security perimeter and gain access to at least one PC on a corporate network. To prove its point, the security outfit cites a recent FireEye study in which 84 percent organizations surveyed admitted to falling victim to at least one spear-phishing attack last year.
Once an attacker compromises a machine, the focus turns to evading a variety of endpoint security measures, such as antivirus software and endpoint threat detection tools. They'll look for credentials that allow them to move laterally within a network. There are tools to stop this behavior, such as Microsoft's Virtual Secure Module (VSM), but they're designed to run in a normal Windows boot environment. This is where Safe Mode comes into play.
According to CyberArk, an attacker need only complete three steps to exploit Safe Mode. The first is to change system settings to move the OS into Safe Mode during the next reboot. Second is to configure attack tools to load in Safe Mode, and last is to force a reboot of the machine.
"This process is actually much easier than it sounds, and it can typically be done without the user noticing that anything has gone wrong," CyberArk claims.
Savvy attackers will alter the third step to wait for the user to reboot the system themselves, or present them with a pop-up message saying the system needs to be restarted to install an update. Either way, once in Safe Mode, the attacker can more freely move around the network and do harm than in a normal Windows environment, according to CyberArk.
So what can organizations do about this? There are a number of precautions CyberArk outlines, such as employing security tools that operate in Safe Mode, rotating privileged account credentials, and enforcing the principle of least privilege.