Dell SecureWorks has discovered new malware which is able to bypass authentication on Active Directory (AD), allowing attackers to log in as any user.
Dubbed ‘Skeleton Key’, a malware sample named ‘ole64.dll’ was first spotted on an infected client’s network, the firm’s Counter Threat Unit (CTU) noted in an online analysis of the threat.
In that environment, Skeleton Key allowed the attackers to use a password of their choosing to log in to webmail and VPN services.
Dell SecureWorks continued:
“Skeleton Key is deployed as an in-memory patch on a victim's AD domain controllers to allow the threat actor to authenticate as any user, while legitimate users can continue to authenticate as normal. Skeleton Key's authentication bypass also allows threat actors with physical access to log in and unlock systems that authenticate users against the compromised AD domain controllers.”
One saving grace is that the only Skeleton Key samples discovered thus far lack persistence. This means that they must be redeployed when a domain controller is restarted, which could be a headache for the hackers using it.
Dell added:
“CTU researchers suspect that threat actors can only identify a restart based on their inability to successfully authenticate using the bypass, as no other malware was detected on the domain controllers. Between eight hours and eight days of a restart, threat actors used other remote access malware already deployed on the victim's network to redeploy Skeleton Key on the domain controllers.”
To deploy Skeleton Key the attackers first need to gain domain administrator credentials, which in the past have been stolen from servers, workstations and targeted domain controllers, the CTU said.
Dell believes that a common pattern for password injection means that Skeleton Key has likely been used to target multiple organizations.
Network-based intrusion detection and prevention systems will not work on this particular malware as it doesn’t generate any network traffic, but it has been linked to domain replication issues which could indicate an infection.
“Shortly after each deployment of the Skeleton Key malware observed by CTU researchers, domain controllers experienced replication issues that could not be explained or addressed by Microsoft support and eventually required a reboot to resolve,” the team explained.
“These reboots removed Skeleton Key's authentication bypass because the malware does not have a persistence mechanism.”
Dell SecureWorks recommended firms switch to multi-factor authentication for all remote access services including VPNs and webmail, thus rendering Skeleton Key useless.
It added that organizations could detect the malware by creating a “process creation audit trail on workstations and servers, including AD domain controllers” and by “monitoring Windows Service Control Manager events on AD domain controllers.”
Dell SecureWorks’ publication of the threat was welcomed by security experts.
“The Dell team has provided very specific details enabling security teams to look for this attack behavior in their environment,” said Rapid7 global security strategist, Trey Ford.
“This is a great example of meaningful information sharing in our industry.”