Потребителски вход

Запомни ме | Регистрация
04.09.2017 12:21 - Windows safe mode is, contradictorily, very unsafe
Автор: findkeyhome Категория: Лайфстайл   
Прочетен: 48 Коментари: 0 Гласове:

Windows Safe Mode has been a useful feature for security professionals since its entrance to the market in 1995. While computers and cyber security have changed drastically over these years, it"s still an important tool. With it, you can understand certain issues with a computer or remove malware.

As Safe Mode was designed to be focused on stability and efficiency, third-party software (yes, that includes security tools) are prevented from running. CyberArk Labs recently discovered the serious flaw in this design.

According to CyberArk"s report, after an attacker is able to enter and gain local administrator privileges on an infiltrated computer, they are able to remotely activate Windows Safe Mode to "bypass and manipulate endpoint security measures."

This attack is a particular vulnerability because attackers are able to turn the corrupted endpoints into points to initiate pass-the-hash attacks. With this, the attackers are able to gain access to more machines and the attack continues in a vicious spiral. "Ultimately," claims CyberArk, "[it can] compromise the entire Windows environment."

As people may or may not know, it"s not very difficult to infiltrate a computer"s network to gain access to at least one machine. To prove this point, the article discussed FireEye"s recent report that "84 percent of organizations surveyed admitted to falling victim to at least one spear-phishing attack in 2015."

After the attacker gains access to the Windows computer, which we see is quite common, they can either work with existing administrative privileges or exploit a method to elevate such privileges.

This is a very common scenario. From here, the attacker search endpoints for credentials that assist them in moving throughout the network. In fact, this is exactly what Microsoft"s VSM, or Virtual Secure Module, was created for. It effectively operates "at the endpoint level to limit the use of attack tools and protect credentials from pass-the-hash attacks."

The kicker comes in, though, that these tools operate in Normal Mode, not Safe Mode. Because of the essential design of Windows Safe Mode, it "does not boot any software or drivers that are not critical to the operation of Windows."

So, I think everyone in cybersecurity can see where this is going. Without the protection of VSM or other endpoint defenses, attackers are able to navigate through your machine liberally. Additionally, in Safe Mode attackers are said by CyberArk to be able to "capture credential hashes needed to laterally move through the environment - despite Microsoft"s claims that pass-the-hash risks have been mitigated."

Example Exploits

CyberArk Labs have put together an example exploit so security professionals can understand exactly how this attack can take place, and thus, how to prevent it. They were also sure to point out that this pattern of credential capture and lateral movement can be repeated many times until an eventual domain compromise is achieved.


Няма коментари

За този блог
Автор: findkeyhome
Категория: Лайфстайл
Прочетен: 229
Постинги: 1
Коментари: 0
Гласове: 0
«  Юни, 2018