May 6, 2022
ThreatLocker strives to keep our partners informed about potential weaknesses in their environment and create Built-In Policies to help mitigate them. The above email was sent in response to ThreatLocker observing an increased use of the BCDEdit tool across our customer base. The tool was called from various management and remote access tools and in some cases was used to reboot computers in safe mode.
ThreatLocker does not believe there is a zero day vulnerability in any tool that has led to this increase in attacks. We are simply sharing that we've observed a sharp increase in attacks using this method. There is no single management or remote access tool that is responsible for the increase. ThreatLocker believes that this increase pertains to a general overall increase in cyber attacks.
ThreatLocker will publish a report of the daily usage count of BCDEdit for your information.
The notice we sent on May 5, 2022, was not intended to indicate that there was a vulnerable RMM tool. It was purely intended to advise our customers and partners to add the new suggested policies.
May 5, 2022
We have observed a large increase in attackers using companies’ and MSPs’ remote management tools over the last few days. While in most of these cases the tools had dual-factor authentication, attackers were still able to access them and use them to launch cyberattacks.
Using these tools, the attacker may issue commands to reboot the machine in Safe Mode with Networking, a feature available in many remote management tools. A machine booted in Safe Mode does not load security software.
We recommend that all partners consider Ringfencing™ their remote management tools. Application Interaction can and should be blocked between these tools and bcdedit.exe (Built-In), as per the below.
In addition to this, we have also added a new suggested policy – bcdedit.exe (Built-In) - DENY, and recommend that it be added at the Global Level, should BCDedit not be needed. This will block the execution of BCDEdit across all environments.