safe-modeJust when you thought it was safe in the water … Well, you know the rest of the story.

Just because something looks safe, that does not mean that mean that it is. In fact, it now appears that just because something says that it is safe, no longer means that it actually is.

Unfortunately, that now applies to your computer’s Windows’ OS Safe Mode.

No Safe Is Safe

We should all be aware by now that there is no such thing as a safe safe. The infamous Willie Sutton claimed that there would never be a safe that he could not crack. The theory is simple: If you can figure out how to build a safer safe, someone else can figure out how to break into it.

That is precisely what has happened to Windows’ Safe Mode. That even includes computers with Windows 10’s Virtual Safe Mode, according to a report released on September 15, 2016, by CyberArk Labs.

It’s Kind of Like Judo

The attacks on Safe Mode are similar to the fundamental concepts behind Judo and other martial arts. Leverage the other person’s strengths against them. In this case, the strength is Safe Mode and hackers can now use it against you and your business.

The strength of Safe Mode is that it allows users to boot their PCs and servers using only those tools that are essential to the operating system. Put another way, the computer or server booted in Safe Mode restricts the operation of third-party software. That can – and often does – include security software.

Safe This Way

This new innovation of hack enters through the door where you least expect it – the one that is marked “Safe This Way.” While that may sound innocuous enough, to a safecracker more like an invitation. Hackers see it the same way. We think it identifies a safe route or place. Safecrackers and hackers see it as the route to the place where the safe is.

From the hackers’ perspective, “Once in Safe Mode, logins can be stolen and otherwise with defeated pass-the-hash lateral techniques can be used to compromise other networked machines. A fake login screen can be shown using a COM object technique to emulate a normal boot and cloak Safe Mode. Users who then type in their credentials assuming a normal reboot will hand their logins to attackers.

Once attackers break through the perimeter and gain local administrator privileges on an infected Windows-based machine, they can remotely activate Safe Mode to bypass and manipulate endpoint security measures.

In Safe Mode, the attackers are able to freely run tools to harvest credentials and laterally move to connected systems – all while remaining undetected.”

What Should We Do Now?

Unfortunately, not much. However, we advise the following precautionary measures per CyberArk’s and PC Pit Stop’s advice: Network administrators should

  • cycle privileged account credentials to disrupt pass-the-hash attacks
  • enforce the least privilege by stripping local administrator rights
  • deploy security tools capable of running in Safe Mode.\
  • ensure your operating system and applications are updated
  • run a security scan at least once a week
  • think before you click

Finally, read our newsletters and releases to stay abreast of threats and ways to prevent them. And don’t be afraid of the dark.

For any further information, please contact Tech Sentries at 843-282-2222.