'Skeleton Key' Malware Lets Attackers Use Any Corporate Account
For two years, the program lurked on a critical server that authenticates users. This allows attackers with a secret password to log in as any user.An attack tool used in an ongoing cyber-espionage operation gives digital spies a backdoor into the affected network and allows them to retain control in a nearly undetectable way, according to research published by managed-security firm Dell Secureworks on Jan. 13. For more than two years, the program, dubbed 'Skeleton Key,' appears to have resided on a critical server—known as a domain controller—and allowed any attacker with a secret key to log in to the victim's network by donning the identity of any valid user. When attackers infiltrate a company's network, the next challenge typically is to retain control of compromised accounts and systems without being detected, and Skeleton Key makes that happen, according to the published analysis. While not a program that compromises systems itself, the malware acts as a secret gatekeeper, circumventing the access controls normally put in place by a domain controller, Don Smith, director of technology for the counter-threat unit (CTU) at Dell Secureworks, told eWEEK. "The adversary could inject the Skeleton Key and then, in a very, very stealthy way, move around the network with totally unfettered access to the organization's content," he said. "The access that it gives them is massive."
Once installed on an Active Directory domain controller, Skeleton Key allows users to log in as normal, but if any user name is entered along with the attacker's secret password, then the attacker will be logged in as that user, Dell Secureworks said. While the program requires attackers to already have access to the network and valid domain administrator credentials, it does allow attackers to easily log in to the victim's systems and steal data, the report stated.