Active Directory 'Skeleton Key' Malware Bypasses Passwords, Wreaks Havoc On Corporate Networks
Dell's SecureWorks Counter Threat Unit (CTU) has just discovered a new piece of malware that it dubs "Skeleton Key". Besides being one of the coolest-named pieces of malware ever, Skeleton Key provides access to any user account on an Active Directory controller without regard to supplying the correct password.
As in-memory malware, Skeleton Key is extremely difficult to detect, and it'd be totally invisible to the affected users. And while it requires admin access to the AD controller to deploy, once it is, the exploiter could wreak whatever havoc they like while disguised as an innocent user.
It's not much of a benefit, but there is one major limitation of Skeleton Key: it needs to be reapplied on each restart of the AD controller. Of course, those are not meant to be restarted all of the time, which means that this malware could linger for quite some time without anyone noticing. That also ignores the possibility that those who deploy the malware could have remote admin access to the machine.
Until a patch rolls out, Dell's CTU recommends that multi-factor authentication be used (a good idea, regardless of this malware), and for audits to be done to make sure that a company's AD controller isn't already infected with this stealthy malware.