Because it enables the essential elements of the Windows operating system to operate, safe mode is useful for diagnosis and troubleshooting tool. However, according to researchers from the CyberArk Labs may also expose the risk.
Safe mode leaves a lot of third party software to run at startup and which may include security solutions much. Attackers who obtain remote access to a machine, therefore, may be able to restart in Safe Mode to launch attacks.
"Of course, the attacker can force an arbitrary restart, but this suspect for the user probably cause a phone call and the IT team," he says researcher Doron CyberArk Naim write to the company's blog. "Instead, stay under the radar, the attacker can also wait until the next reboot or show the victim a window" upgrade "with a message that the computer must be restarted. this window 'update' on purpose can be designed to look like a legitimate pop-up "windows.
Including malicious service running in safe mode only in its initial charge or recording a malicious COM object to run every time you run explorer.exe attackers can ensure their works malware in safe mode. Once there, they could capture the credentials that the user connects - change the appearance of the system so that it always seems to be in normal mode.
They could also use the access data previously compromised by an attack by the hash step on other machines on the network. That would be executed without start Safe mode by performing a service, then restart immediately normal so the user is aware nothing is wrong mode.
There are steps companies can take to reduce risk. Booting in safe mode from the normal mode is present only when an attacker can work with local administrator privileges. By eliminating local administrator privileges standard users, organizations can reduce their exposure. Naim also recommends that businesses transform their privileged powers, use security tools that work in Safe mode, and monitor when safe mode is used, either by setting alarm or event log monitoring .
You can find more information on how attacks can work safely in the CyberArk blog.
No comments:
Post a Comment