Dell researchers report about a new piece of malware, dubbed Skeleton Key, which can bypass authentication on Active Directory systems.
The Dell team says that the Skeleton Key allow the attackers to avoid detection by AD systems with single factor authentication. Such systems rely only on passwords. The cyber criminals can pick any password and login as any user in order to do whatever they please online.
Skeleton Key was first detected on a network that uses passwords to access email accounts and VPN services. Once active as an in-memory patch on the AD domain controller of the system, the malware gives the attackers unlimited access to services. The users can carry on with their activities without being aware of the malware’s presence in the system.
The researchers report that treat actors that have physical access to the infected machine can login and unlock systems that authenticate PC users against the infected AD domain controllers.
This way the cyber crooks can pose as any user without drawing attention to their activities or restricting the legitimate users’ access. The attack is anything but sophisticated, but it can be used to pose as company’s manager, an HR director, or basically as anyone the attacker wants to impersonate without raising suspicion. More importantly, the crooks can take over sensitive information.
Skeleton Key does not transmit network traffic, which makes it hard to be detected by IDS/IPS intrusion prevention systems.
Skeleton Key has another weakness – there is a constant need for redeployment to operate each time the domain controller gets started. Researchers believe that the malware is compatible with 64-bit Windows versions only.
The researchers say that at some point the threat actors used other remote access malware already activated on the victim’s network to redeploy Skeleton Key on the domain controllers.
To prevent a Skeleton Key infection, experts recommend using multi-factor authentication.
Spy Hunter FREE scanner will only detect the threat. If you want the threat to be automatically removed, you need to purchase the full version of the anti-malware tool. Find Out More About SpyHunter Anti-Malware Tool
