Administrators take note, Dell SecureWorks has discovered a clever piece of malware that allows an attacker to authenticate themselves on a Windows Active Directory (AD) server as any user using any password they like once they’ve broken in using stolen credentials.
It’s a hack that would have outwardly subtle but inwardly insidious effects. In a stroke of descriptive genius, Dell’s researchers have named the threat ‘Skeleton key’, which sums up what is going on here.
The description offered by Dell is of a carefully-designed piece of malware meant to do a specific job. The malware is deployed as an in-memory process ‘patch’ using the compromised admin account for that controller, which makes it harder to spot added to which it generates no network traffic to be picked up by security systems.
The disadvantage is that a reboot of the controller clears the malware from memory, but the attackers can still attempt to reinstate it using a separate compromised workstation or server on the network.
This is no theoretical attack – it was found on a real network and Dell’s researchers add:
“CTU researchers have observed a pattern for the injected password that suggests that the threat group has deployed Skeleton Key in multiple organizations.”
To emphasise, the attackers can’t pull off this attack without first getting their hands on admin credentials for the initial bypass. The interesting question is why, armed with such credentials, they might want to plant something on a controller that replicates this access through other user accounts.
Dell doesn’t speculate but it’s likely that being able to authenticate on the server using an ordinary user’s account, without disrupting normal access from legitimate users, is a way of hiding what the attackers are up to. This implies that the tool is part of a longer-term attack, possibly by a nation state deploying it as part of a larger arsenal of compromises.
“This authentication bypass applies to all services that use single-factor AD authentication, such as web mail and VPNs, and it also allows a threat actor with physical access to a compromised system to unlock the computer by typing the injected password on the keyboard.”
Dell has published a list of remediations in its advisory but the biggest of these is simply to protect the admin accounts in the first place using – at the very least – multi-factor authentication. The firm also recommends monitoring Windows Service Control Manager events on AD controllers.