Brand new “Skeleton Key” malware can bypass the authentication on Active Directory systems
Security managers have been warned about a newly-discovered piece of malware called ‘Skeleton Key’ that can potentially unlock corporate networks.
Researchers at Dell SecureWorks Counter Threat Unit warned that the malware, which can bypass authentication on Active Directory (AD) systems that only use single-factor (i.e. password only) authentication.
The researchers discovered Skeleton Key on a client network that apparently was only secured with single-factor authentication for access to webmail and VPN.
The way the malware works is that it is deployed as an in-memory patch on a victim’s AD domain controllers. The hacker can essentially authenticate as any user, while legitimate users can continue to authenticate as normal. Once logged in however, the hacker can effectively do what they want.
“Skeleton Key’s authentication bypass also allows threat actors with physical access to login and unlock systems that authenticate users against the compromised AD domain controllers,” warned the researchers.
The good news is that if a compromised domain controller is restarted, the hacker must reinfect the system again with malware. And even better, the researchers believe that the hackers can only determine if a restart has taken place because their malware is no longer working.
However, what makes this new piece of malware so difficult to detect is the fact that it does not transmit network traffic.
“The Skeleton Key malware does not transmit network traffic, making network-based detection ineffective,” said the researchers. “However, the malware has been implicated in domain replication issues that may indicate an infection. Shortly after each deployment of the Skeleton Key malware observed by CTU researchers, domain controllers experienced replication issues that could not be explained or addressed by Microsoft support and eventually required a reboot to resolve. These reboots removed Skeleton Key’s authentication bypass because the malware does not have a persistence mechanism.”
Of course, Dell’s CTU research team are urging organisations to implement multi-factor authentication for all remote access solutions, in an effort to protect against the Skeleton Key malware.
They also recommend firms implement a process creation audit trail on workstations and servers, including AD domain controllers, which may detect Skeleton Key deployments. And they say that monitoring Windows Service Control Manager events on AD domain controllers may reveal unexpected service installation events.
For a long while now experts have been urging companies to adopt multi-factor or two-factor authentication.
“The single most important takeaway from the skeleton key malware is the need to use multi-factor authentication when it’s available,” said Joshua Cannell, a malware intelligence analyst at Malwarebytes.
“In this case, having two-factor authentication would have effectively prevented attacks by the malware,” he said. “Passwords alone are a weak form of authentication, and are very prone to becoming compromised. From a security standpoint, attacks from this malware should be relatively easy to deter, as not only does it require only single-factor authentication on the domain, but also an administrator’s credentials.”
A simple step-by-step guide on how to use multi-factor authentication on your favourite devices and websites such as PayPal, Facebook, Twitter, Google and Apple, can be found here.
Are you a security pro? Try our quiz!