Researchers from Dell SecureWorks recently discovered a sophisticated malware variant which allows hackers to authenticate themselves as any user on a Windows Active Directory server using any password once the network has been infiltrated using stolen login credentials. Based on the malware analysis offered by Dell, it appears that Skeleton Key – as named by the Dell researchers responsible for discovering the malware – was carefully designed to do a specific job. This malware is deployed using an in-memory process ‘patch’ that uses the compromised admin account used to access the system in the first place.
By using an in-memory process patch, the malware generates no network traffic and is very difficult to catch as a result. This authentication bypass technique applies to all services relying on single-factor authentication via Active Directory. This includes sensitive services like VPN and Web mail among others. Although this threat is concerning, it is difficult to determine exactly what the purpose of this malware is because a hacker would already need admin credentials to access the server prior to deploying Skeleton Key. In other words, it is redundant and has left security researchers questioning the need for such a program. The best guess at this point is that Skeleton Key is designed for long term attacks in which hackers are using regular user accounts from within the network to avoid detection.
Furthermore, the complexity of the malware could point to development by a nation state deploying Skeleton Key as part of a larger campaign with yet unknown targets.
That said, records found within the intercepted malware files indicate that Skeleton Key has been deployed in many organizations, not just the one in which Dell researchers discovered the malware (the affected network was not named in Dell’s published analysis report). There are two weaknesses inherent to Skeleton Key.
First, the malware disappears if the Active Directory controller is rebooted. Although a hacker already inside the network could simply re-deploy the malware after a reboot, the chances of detection increase. Second, Skeleton Key only works on certain versions of Windows Server. Specifically, Windows Server 2003 R2, Windows Server 2008, and Windows Server 2008 R2. New versions of Windows Server are not affected by this malware and neither are 32-bit versions of the OS. It seems that Skeleton Key is the latest in a growing list of complex malware campaigns most likely backed by an unknown government entity.
Protecting the network from this threat is best accomplished by properly managing administrative accounts. Using two-factor authentication for these accounts, for instance, is probably the best way to avoid infiltration.
Obviously, a strong password policy is also a good idea as it is much more difficult for hackers to guess or brute-force complex passwords. Dell researchers also recommend monitoring Windows Service Control Manager Events on the Active Directory controller for signs that a Skeleton Key breach may already have occurred. As always, ensure all of the latest OS and applications updates are installed regularly to further prevent Skeleton Key infiltration and any associated damage it may cause.