Dell - New Malware Bypasses Systems of Active Directory

Securityweek.com reported on 12th January, 2015 stating that researchers at Counter Threat Unit (CTU) of Dell SecureWorks have intercepted malware which avoids authentication on Active Directory (AD) systems sheltered only by passwords.

The malware dubbed as 'Skeleton Key' was found by researchers on a network of a client which employed single-factor authentication to gain admittance to webmail and VPN (virtual private network) - giving the attacker complete access to distant access services.

As accords to CTU, the malware requires an attacker to have credentials of domain administrator in order to be installed and it has been found to be used by attackers who have stolen information from workplaces of the administrator, servers and the beleaguered domain controllers.

Darkreading.com published news on 12th January, 2015 quoting Don Smith, Director of Technology of the CTU research team, as saying "The Skeleton key malware allows the opponent to slightly authenticate as any user using the injected password and this can happen remotely for Webmail or VPN. The activity looks like normal activity of the end user and so arising of any suspicion becomes extremely low and due to this, the malware becomes particularly stealthy."

If the attacker poses as a human resources director, then it would not look strange for them to access databases of personally identifiable information. If they pose as a sales director, it would not be suspicious for them to access databases of data pertaining to payment card. This could be mainly useful to malicious insiders of IT department who already have admin access.

Other main drawback of Skeleton Key is that it does not use any persistent methods and hence it must be redeployed any time the domain controller restarted. Researchers explained "Threat actors used other remote access malware anytime between eight hours and eight days from the restart which was already deployed on the network of the victim to redeploy Skeleton Key on the controllers of the domain."

Any firm which is infected might find it difficult to locate the Skeleton Key on the network and IT team has to look for discreet abnormal activity across their Active Directory use which is a much difficult task than finding any standard malware.

It is believed that the original Skeleton Key attacks required information of interest for governments based in East Asia.

» SPAMfighter News - 1/22/2015