Miscreants have forged a strain of malware which is capable of bypassing authentication on Microsoft Active Directory (AD) systems.
Hackers can use arbitrary passwords to authenticate as any corporate user, Dell SecureWorks warns. The malware, dubbed Skeleton Key, is deployed as an in-memory patch on a victim’s AD domain controllers, allowing hackers to authenticate as any user, while legitimate users can continue to use systems as normal.
The only known Skeleton Key samples discovered so far lack persistence and must be redeployed when a domain controller is restarted – a major drawback for miscreants. Malevolent actors might be able to use other remote access malware already deployed on the victim’s network to reinstall Skeleton Key on domain controllers.
Dell SecureWorks CTU researchers discovered Skeleton Key when working an incident response case for an organisation. The malware gives the threat actor unfettered access to remote access services such as webmail and VPN.
The Skeleton Key Malware requires domain administrator credentials for initial deployment. These credentials can be stolen from critical servers, administrators’ workstations, and the targeted domain controllers.
Dell SecureWorks has put together a blog post explaining the malware – and how to detect it – here. ®