Skeleton Key Malware A Threat To Active Directory Systems

Dell researchers have discovered a new malware, dubbed Skeleton Key which can bypass the authentication process on Active Directory systems.

The research published by Dell SecureWorks Counter Threat Unit (CTU) team this week, identify Skeleton Key malware as a deceiving tool for the hackers to find a way around AD systems’ single factor authentication - in other words, systems that rely on passwords alone for security.

The research team says that hackers can use a password of their choosing to authenticate as any user -- before diving into the network and doing as they please.

Skeleton Key was discovered on a client's network which uses passwords for access to email and VPN services. The malware, once deployed as an in-memory patch on a system's AD domain controller, gave the cybercriminals unfettered access to remote access services. However, legitimate users were able to carry on as normal -- blissfully unaware of the malware's presence or impersonation.

"Skeleton Key's authentication bypass also allows threat actors with physical access to login and unlock systems that authenticate users against the compromised AD domain controllers," CTU researchers said.

So, while an attacker already needs admin access to the network, they can pose as any user without alerting others or restricting access of legitimate users.

However, the set back within the malware is that the need for constant redeployment to operate every time the domain controller is started. Skeleton Key is also believed to only be compatible with 64-bit Windows versions.

"Between eight hours and eight days of a restart, threat actors used other remote access malware already deployed on the victim's network to redeploy Skeleton Key on the domain controllers," the security team says.

According to ZDnet, the malware does not transmit network traffic, so may be more difficult to detect by IDS/IPS intrusion prevention systems -- although it has been implicated in domain replication issues that may indicate an infection. In these cases, a reboot is required to resolve the issue. To prevent the malware from affecting your network, multi-factor authentication is the best way forward.