Europe Confirms Record €4.1B Penalty Against Google for Android Practices|U.S. CISA adds a Microsoft SharePoint Server flaw to its Known Exploited Vulnerabilities catalog|430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|Oracle E-Business Suite Flaw Under Active Attack, 950 Systems Exposed|Azure CLI Targeted in LSHIY Password Spray Campaign Across 64 Orgs|CISA Warns BlueHammer Flaw Is Now Exploited in Ransomware Attacks|RustDuck: The Botnet That’s Still Small but Engineering Like It Plans to Grow|GuardFall Flaw Hits 10 of 11 Popular Open-Source AI Agents|XSS.is, The Forum That Ran the Ransomware Supply Chain Is Down. The Market Isn’t|U.S. CISA adds SimpleHelp flaw to its Known Exploited Vulnerabilities catalog|Europe Confirms Record €4.1B Penalty Against Google for Android Practices|U.S. CISA adds a Microsoft SharePoint Server flaw to its Known Exploited Vulnerabilities catalog|430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|Oracle E-Business Suite Flaw Under Active Attack, 950 Systems Exposed|Azure CLI Targeted in LSHIY Password Spray Campaign Across 64 Orgs|CISA Warns BlueHammer Flaw Is Now Exploited in Ransomware Attacks|RustDuck: The Botnet That’s Still Small but Engineering Like It Plans to Grow|GuardFall Flaw Hits 10 of 11 Popular Open-Source AI Agents|XSS.is, The Forum That Ran the Ransomware Supply Chain Is Down. The Market Isn’t|U.S. CISA adds SimpleHelp flaw to its Known Exploited Vulnerabilities catalog|
Advertisement

Ad Placeholder

Full Width × 90

Cyber Crime

Skeleton Key Malware modifies the Active Directory authentication process

Dell SecureWorks detected the Skeleton Key malware, which modifies authentication process on Active Directory (AD) systems protected by only passwords. The experts at Dell SecureWorks Counter Threat Unit(TM) (CTU) have recently discovered a malware dubbed Skeleton Key that bypasses single-factor authentication on Active Directory (AD) systems. The attackers can use to have total access to remote […]

Skeleton Key Malware modifies the Active Directory authentication process

Dell SecureWorks detected the Skeleton Key malware, which modifies authentication process on Active Directory (AD) systems protected by only passwords.

The experts at Dell SecureWorks Counter Threat Unit(TM) (CTU) have recently discovered a malware dubbed Skeleton Key that bypasses single-factor authentication on Active Directory (AD) systems. The attackers can use to have total access to remote access services with a password of their choosing to authenticate as any user.

The researchers at CTU have discovered the Skeleton Key on a client network that used single-factor authentication for access to webmail and VPN, the malware is deployed as an in-memory patch on a targeted AD domain controllers to allow attacker to authenticate as any user, while legitimate users can continue to authenticate without noticing the infection.

Attacks which implements the modification of the authentication process are rarely observed by security experts and CTU researchers confirmed they haven’s seen similar malware targeting Active Directory before.

 “Skeleton Key is deployed as an in-memory patch on a victim’s AD domain controllers to allow the threat actor to authenticate as any user, while legitimate users can continue to authenticate as normal. Skeleton Key’s authentication bypass also allows threat actors with physical access to login and unlock systems that authenticate users against the compromised AD domain controllers.” states a blog post published by CTU.

In order to spread the Skeleton Key the attacker requires have domain administrator credentials, circumstance common when criminal crews stole stolen credentials from victims or acquire them on the underground market.

“What raises the alarm about the Skeleton Key malware is that it enables the adversary to trivially authenticate as any user, using their injected password, this could give them access to the target’s webmail or VPN if that was relying upon AD for authentication,” explained Don Smith, CTU director of technology, at securityweek.com “Consequently, the threat actors can get access to the victim’s email correspondence and network files. This activity looks like – and is – normal end user activity, so the chances of the threat actor raising any suspicion is extremely low and this is what makes this malware particularly stealthy.”

The samples of malware analyzed by the experts at CTU lack persistence, this means that threat actors need to re-deployed the malicious agent every time the domain controller is restarted.

“CTU researchers suspect that threat actors can only identify a restart based on their inability to successfully authenticate using the bypass, as no other malware was detected on the domain controllers,” continues the post. “Between eight hours and eight days of a restart, threat actors used other remote access malware already deployed on the victim’s network to redeploy Skeleton Key on the domain controllers.”

The researchers discovered that attackers used the PsExec tool to run the Skeleton Key DLL remotely on the target domain controllers using the rundll32 command. The attackers choose a password for their authentication, then it is formatted as an NTLM password hash and it is provided in clear text.

skeleton key

CTU researchers explained that network traffic analysis is ineffective, anyway, it could be detected because it is associated with domain replication issues that may indicate an infection.

“Shortly after each deployment of the Skeleton Key malware observed by CTU researchers, domain controllers experienced replication issues that could not be explained or addressed by Microsoft support and eventually required a reboot to resolve,” CTU researchers blogged. “These reboots removed Skeleton Key’s authentication bypass because the malware does not have a persistence mechanism.”

CTU researchers have no doubts about the abilities of malware authors, Skeleton Key malware was the results of specialists with a “reasonable degree of skill.”

In order to detect the presence of the Skeleton Key malware, Dell SecureWorks recommends organizations use multi-factor authentication for access to its services, monitor processes running on workstations and servers and monitor Windows Service Control Manager events on Active Directory domain controllers.

Pierluigi Paganini

(Security Affairs –  Skeleton Key, malware)