Malware Attacks Active Directory

Friday, January 16, 2015 @ 01:01 PM gHale


There is a new strain of malware that can bypass authentication on Microsoft Active Directory systems.

Hackers can use arbitrary passwords to authenticate as any corporate user, said researchers at Dell SecureWorks. The malware, dubbed Skeleton Key, deploys as an in-memory patch on a victim’s Active Directory domain controller, allowing hackers to authenticate as any user, while legitimate users can continue to use systems as normal.

RELATED STORIES
Financial Attacks Hitting ICS
ICS Havex Reaches 64-Bit
New Malware Targets Linux Systems
Details Emerge on Espionage Campaign

The only known Skeleton Key samples discovered so far lack persistence and must end up redeployed when a domain controller restarts. Attackers could use other remote access malware already deployed on the victim’s network to reinstall Skeleton Key on domain controllers.

Dell SecureWorks CTU researchers came across Skeleton Key when working an incident response case for an organization. The malware gives the threat actor unfettered access to remote access services such as webmail and VPN.

The Skeleton Key Malware requires domain administrator credentials for initial deployment. These credentials can end up stolen from critical servers, administrators’ workstations, and the targeted domain controllers.

Click here for more details from Dell SecureWorks on the malware.



Leave a Reply

You must be logged in to post a comment.