New “Skeleton Key” malware allows bypassing of passwords

January 13, 2015 – 10:09 PM

Remember when we discussed how passwords were dead? If you needed more proof that this is true, the bad guys have you covered with a new piece of malware that turned up in the wild.

SecureWorks, the security arm of Dell, has discovered the new piece of malware dubbed “Skeleton Key.” The attack consists of installing rogue software within Active Directory, and the malware then allows attackers to login as any user on the domain without the need for further authentication. It’s important to note that the installation requires administrator access or a flaw on the server that grants such access.

Interestingly, Skeleton Key does not actually install itself on the filesystem. Instead, it’s an in-memory patch of Active Directory which makes detection even more difficult. Even worse, this access is not logged and is completely silent and, as a result, extremely undetectable. Identifying the malware using traditional network monitoring also does not work due to the fact that Skeleton Key does not generate any network traffic.

It’s not all doom and gloom though. The good news is that, in its current form, the malware does not survive a system reboot. Also, the fact that it requires administrator rights to install limits the attack surface, making a disgruntled sysadmin one of the largest threat vectors. In addition, according to the researchers, the malware is rendered useless if an organization requires two-factor authentication to connect to servers, VPN, email and the like. If this isn’t a wake-up call to stop relying on passwords as your main means of security, I don’t know what is.


You must be logged in to post a comment.