Hackers have developed "Skeleton Key" malware capable of bypassing password protection on Windows Server’s Active Directory (AD) service, according to Dell’s SecureWorks team.
Researchers from the firm found the virus residing on a client’s network in order to access webmail and virtual private networks (VPN) used to move around the internet anonymously, meaning hackers would have been able to remotely take control of systems.
"Skeleton Key is deployed as an in-memory patch on a victim’s AD domain controllers to allow the threat actor to authenticate as any user, while legitimate users can continue to authenticate as normal," a report from the firm said.
"Skeleton Key’s authentication bypass also allows threat actors with physical access to login and unlock systems that authenticate users against the compromised AD domain controllers."
When a domain controller is restarted, the hacker is forced to infect the system with malware again. Researchers suspect the hackers have no means of checking when a restart took place, and could only tell when the malware stopped working.
Skeleton Key also does not transmit traffic across the network, according to Dell, but one warning sign was that of unexplained data replication indicating directory changes.
The company said that the malware can only be deployed if hackers gain access to admin logins, which it had observed being taken from "critical servers, administrators’ workstations, and the targeted domain controllers".
It added that multi-factor authentication, which requires a physical token as well as a password, could be used to mitigate against the threat, as well as improved audit and monitoring processes.
