According to the security researchers, the "Skeleton Key" malware allows cybercriminals to bypass AD systems which only implement single factor authentication -- in other words, systems that rely on passwords alone for security. The team says that hackers can use a password of their choosing to authenticate as any user -- before diving into the network and doing as they please.
Skeleton Key was discovered on a client's network which uses passwords for access to email and VPN services. The malware, once deployed as an in-memory patch on a system's AD domain controller, gave the cybercriminals unfettered access to remote access services. However, legitimate users were able to carry on as normal -- blissfully unaware of the malware's presence or impersonation.
"Skeleton Key's authentication bypass also allows threat actors with physical access to login and unlock systems that authenticate users against the compromised AD domain controllers," CTU researchers say.
So, while an attacker already needs admin access to the network, they can pose as any user without alerting others or restricting access of legitimate users. Why bother? The answer is simple. It may not be the most sophisticated type of attack, but its core character is stealth.
Should I be a disgruntled employee or person with malicious intent, I could use the malware to pose as an HR director or accounts manager and access the personal data of employees, partners and potentially customers without raising suspicion. I could pretend to be a board member simply accessing my email or looking over financial data in the company. The data is there for the taking.
These days, hackers deal in information -- and it would only take one bribed employee to provide such data, using the malware to prevent detection.
However, there is another weakness within the malware -- the need for constant redeployment to operate every time the domain controller is started. Skeleton Key is also believed to only be compatible with 64-bit Windows versions.
"Between eight hours and eight days of a restart, threat actors used other remote access malware already deployed on the victim's network to redeploy Skeleton Key on the domain controllers," the security team says.
The malware does not transmit network traffic, so may be more difficult to detect by IDS/IPS intrusion prevention systems -- although it has been implicated in domain replication issues that may indicate an infection. In these cases, a reboot is required to resolve the issue. To prevent the malware from affecting your network, multi-factor authentication is the best way forward.