|Skeleton Key Here is a malware that allows the attacker to log in as any user, without the need to know or change a user’s password. What’s worse is that Intrusion Detection System (IDS)(Definition) does not raise any alarms.
There are two ways to detect an attacker within your network – through network monitoring software or abnormal user behavior. Here comes a new malware that can evade both. Skeleton key is able to bypass Active Directory (Definition) systems that use single-factor authentication (Definition) to access webmail and Virtual Private Network (VPN) (Definition). The malware is deployed as an “in-memory patch” and is not installed in the hard disk, which makes it very difficult to detect.
This allows the attacker to assume the identity of any user, without having to steal the user’s log in credentials or even changing the user’s password. It will seem like normal end user activity that does not raise much suspicion.
As the attacker can pose as any user, it can for example, assume the identity of a Technical Manager, then it wouldn’t seem unusual for them to access relevant technical information. If they pose as a Sales Director, then it wouldn’t raise a red flag if credit card data is accessed.
The reason that IDS or IPS cannot detect the Skeleton Key is that it does not create network traffic. It would seem that the malware is invincible. It is considered to be super stealthy.
The Skeleton Key has some flaws. It would be deleted upon reboot of the Active Directory system, which would leave the attackers locked out when they try to sign in as an employee. What this means is that the attackers have failed to set up an effective command and control infrastructure. However, the attackers would already have a Remote Access Trojan installed on the target’s network, which allows them to use that malware to re-activate Skeleton Key.
Nevertheless, only systems that run off of Active Directory are affected. Does it mean that we should not be too concern about it? Of course not! Anyone using Active Directory should be concerned. If this malware infects an organization that’s widely using Active Directory, they have a lot to worry about, as their critical authentication process will be completely compromised.
For your information, the Skeleton Key was discovered last year in a global organization with its headquarters in London. It was later dubbed the Skeleton Key, as it was able to provide almost unrestrained access to every single employee’s corporate account. Don Smith, Technology Director at Dell SecureWorks said that in his 20 years in the security business, this is one of the most startling cases of digital espionage he has seen.
In the beginning of this article, it is mentioned that Skeleton Key is able to bypass Active Directory systems that use single-factor authentication. A place to start to mitigate this problem is to employ two-factor authentication (Definition).