Hackers can exploit Safe mode in Windows to launch security attacks

Ivan Jenic By: Ivan Jenic
2 minute read

Home » News » Hackers can exploit Safe mode in Windows to launch security attacks

When you think of Safe Mode, your first association is reduced risk from malicious attack for your computer. As Safe Mode runs only essential, first party programs in Windows, it is often used for fixing various security and other system problems.

However, there’s one contradiction. Although Safe Mode’s purpose is to provide a risk-free environment, it can actually leave your computer in danger if a hacker takes a full advantage out of it. According to researchers at CyberArk Labs, while not running the majority of programs is actually good for your security, it can also be very bad at the same time.

If an attacker has remote access to a user’s computer, he can boot into Safe Mode and launch an attack. Since all potential security programs and antiviruses are turned off, there would be nothing to stop a malicious software.

“Sure, the attacker can arbitrarily force a restart, but this will likely look suspicious to the user and prompt a phone call to the IT team,” says CyberArk researcher Doron Naim writing on the company’s blog. “Instead, to stay under the radar, the attacker can also either wait until the next restart or show the victim an ‘update’ window with a message that says the PC must be rebooted. This ‘update’ window can purposely be designed to look like a legitimate Windows pop-up”.

Once attackers are in Safe Mode, they can easily capture important user data like credentials and even execute pass-the-hash attacks to break into other computers on the same network.

Although completely removing this risk is almost impossible, there are some security measures recommended for enterprises. Admins can remove administrator privileges from normal users so that attackers are not able to switch from Normal to Safe mode, rotate privileged credentials, make security tools available in Safe Mode, and continuously monitor any suspicious activity that involves PCs booting into Safe Mode.

RELATED STORIES YOU NEED TO CHECK OUT:

Discussions

Next up

WpcMon.exe: What it is and how to solve its potential issues

John Waibochi avatar. By: John Waibochi
4 minute read

The Windows operating system has many unknown files, and WpcMon.exe is one such file. Like the rest, the file is considered somehow mysterious and has […]

Continue Reading

Windows needs activation again? Here’s what to do

John Waibochi avatar. By: John Waibochi
3 minute read

At times, your computer will report that Windows needs activation again, despite it being already activated. This happens across the various versions of Windows 10 […]

Continue Reading

7 best antimalware tools for Windows 10 to block threats in 2019

Elsie Otachi By: Elsie Otachi
7 minute read

As long as you have a computer or smart devices, whether at home or in business, you’ve got to constantly resolve to get rid of […]

Continue Reading