View all newsletters
Receive our newsletter - data, insights and analysis delivered to you
  1. Technology
  2. Cybersecurity
January 13, 2015

Skeleton Key malware unlocks passwords in Active Directory

Virus allows hackers to access webmail and virtual private networks.

By Jimmy Nicholls

Hackers have developed "Skeleton Key" malware capable of bypassing password protection on Windows Server’s Active Directory (AD) service, according to Dell’s SecureWorks team.

Researchers from the firm found the virus residing on a client’s network in order to access webmail and virtual private networks (VPN) used to move around the internet anonymously, meaning hackers would have been able to remotely take control of systems.

"Skeleton Key is deployed as an in-memory patch on a victim’s AD domain controllers to allow the threat actor to authenticate as any user, while legitimate users can continue to authenticate as normal," a report from the firm said.

"Skeleton Key’s authentication bypass also allows threat actors with physical access to login and unlock systems that authenticate users against the compromised AD domain controllers."

When a domain controller is restarted, the hacker is forced to infect the system with malware again. Researchers suspect the hackers have no means of checking when a restart took place, and could only tell when the malware stopped working.

Skeleton Key also does not transmit traffic across the network, according to Dell, but one warning sign was that of unexplained data replication indicating directory changes.

The company said that the malware can only be deployed if hackers gain access to admin logins, which it had observed being taken from "critical servers, administrators’ workstations, and the targeted domain controllers".

Content from our partners
How businesses can safeguard themselves on the cyber frontline
How hackers’ tactics are evolving in an increasingly complex landscape
Green for go: Transforming trade in the UK

It added that multi-factor authentication, which requires a physical token as well as a password, could be used to mitigate against the threat, as well as improved audit and monitoring processes.

Websites in our network
Select and enter your corporate email address Tech Monitor's research, insight and analysis examines the frontiers of digital transformation to help tech leaders navigate the future. Our Changelog newsletter delivers our best work to your inbox every week.
  • CIO
  • CTO
  • CISO
  • CSO
  • CFO
  • CDO
  • CEO
  • Architect Founder
  • MD
  • Director
  • Manager
  • Other
Visit our privacy policy for more information about our services, how New Statesman Media Group may use, process and share your personal data, including information on your rights in respect of your personal data and how you can unsubscribe from future marketing communications. Our services are intended for corporate subscribers and you warrant that the email address submitted is your corporate email address.
THANK YOU