Close
  • Latest News
  • Cybersecurity
  • Big Data and Analytics
  • Cloud
  • Mobile
  • Networking
  • Storage
  • Applications
  • IT Management
  • Small Business
  • Development
  • Database
  • Servers
  • Android
  • Apple
  • Innovation
  • Blogs
  • PC Hardware
  • Reviews
  • Search Engines
  • Virtualization
Read Down
Sign in
Close
Welcome!Log into your account
Forgot your password?
Read Down
Password recovery
Recover your password
Close
Search
Menu
Search
  • Latest News
  • Cybersecurity
  • Big Data and Analytics
  • Cloud
  • Mobile
  • Networking
  • Storage
  • Applications
  • IT Management
  • Small Business
  • Development
  • Database
  • Servers
  • Android
  • Apple
  • Innovation
  • Blogs
  • PC Hardware
  • Reviews
  • Search Engines
  • Virtualization
More
    Home Cybersecurity
    • Cybersecurity

    ‘Skeleton Key’ Malware Lets Attackers Use Any Corporate Account

    By
    Robert Lemos
    -
    January 15, 2015
    Share
    Facebook
    Twitter
    Linkedin
      Skeleton Key malware

      An attack tool used in an ongoing cyber-espionage operation gives digital spies a backdoor into the affected network and allows them to retain control in a nearly undetectable way, according to research published by managed-security firm Dell Secureworks on Jan. 13.

      For more than two years, the program, dubbed ‘Skeleton Key,’ appears to have resided on a critical server—known as a domain controller—and allowed any attacker with a secret key to log in to the victim’s network by donning the identity of any valid user. When attackers infiltrate a company’s network, the next challenge typically is to retain control of compromised accounts and systems without being detected, and Skeleton Key makes that happen, according to the published analysis.

      While not a program that compromises systems itself, the malware acts as a secret gatekeeper, circumventing the access controls normally put in place by a domain controller, Don Smith, director of technology for the counter-threat unit (CTU) at Dell Secureworks, told eWEEK.

      “The adversary could inject the Skeleton Key and then, in a very, very stealthy way, move around the network with totally unfettered access to the organization’s content,” he said. “The access that it gives them is massive.”

      Once installed on an Active Directory domain controller, Skeleton Key allows users to log in as normal, but if any user name is entered along with the attacker’s secret password, then the attacker will be logged in as that user, Dell Secureworks said. While the program requires attackers to already have access to the network and valid domain administrator credentials, it does allow attackers to easily log in to the victim’s systems and steal data, the report stated.

      So far, only a single case of the malware has been found, according to Dell Secureworks’ Smith. An administrator working at the affected company, which Smith declined to name, noticed user activity during odd hours and flagged the managed-security provider. After analyzing the issue, the company focused on the domain controller and eventually found the malware.

      Skeleton Key only resides in memory and is not written to disk, making it even more difficult to detect, but also requiring the attackers to reinstall it, if the domain controller is restarted.

      “The only known Skeleton Key samples as of this publication lack persistence and must be redeployed when a domain controller is restarted,” the report stated. “CTU researchers suspect that threat actors can only identify a restart based on their inability to successfully authenticate using the bypass, as no other malware was detected on the domain controllers.”

      When the victim company restarted its server, Skeleton Key was reinstalled somewhere between eight hours and eight days later.

      The program likely had control of the domain controller inside the targeted company for more than two years, according to Smith. An older version of the program with a September 2012 compile date was found on another system inside the firm, he said.

      While no other similar malware has been found in other companies, the program appears to be part of a larger campaign, Smith said. The passcode for access to the network had been set to the name of the domain controller, followed by an “@” symbol, followed by a code name for the victim. Such a scheme would not be necessary if only a single company had been targeted, Smith said.

      “The form of that password makes me believe they had other victims,” he said.

      Avatar
      Robert Lemos
      Robert Lemos is an award-winning freelance journalist who has covered information security, cybercrime and technology's impact on society for almost two decades. A former research engineer, he's written for Ars Technica, CNET, eWEEK, MIT Technology Review, Threatpost and ZDNet. He won the prestigious Sigma Delta Chi award from the Society of Professional Journalists in 2003 for his coverage of the Blaster worm and its impact, and the SANS Institute's Top Cybersecurity Journalists in 2010 and 2014.

      MOST POPULAR ARTICLES

      Android

      Samsung Galaxy XCover Pro: Durability for Tough...

      Chris Preimesberger - December 5, 2020 0
      Have you ever dropped your phone, winced and felt the pain as it hit the sidewalk? Either the screen splintered like a windshield being...
      Read more
      Cloud

      Why Data Security Will Face Even Harsher...

      Chris Preimesberger - December 1, 2020 0
      Who would know more about details of the hacking process than an actual former career hacker? And who wants to understand all they can...
      Read more
      Cybersecurity

      How Veritas Is Shining a Light Into...

      eWEEK EDITORS - September 25, 2020 0
      Protecting data has always been one of the most important tasks in all of IT, yet as more companies become data companies at the...
      Read more
      Big Data and Analytics

      How NVIDIA A100 Station Brings Data Center...

      Zeus Kerravala - November 18, 2020 0
      There’s little debate that graphics processor unit manufacturer NVIDIA is the de facto standard when it comes to providing silicon to power machine learning...
      Read more
      Apple

      Why iPhone 12 Pro Makes Sense for...

      Wayne Rash - November 26, 2020 0
      If you’ve been watching the Apple commercials for the past three weeks, you already know what the company thinks will happen if you buy...
      Read more
      eWeek


      Contact Us | About | Sitemap

      Facebook
      Linkedin
      RSS
      Twitter
      Youtube

      Property of TechnologyAdvice.
      Terms of Service | Privacy Notice | Advertise | California - Do Not Sell My Information

      © 2021 TechnologyAdvice. All Rights Reserved

      Advertiser Disclosure: Some of the products that appear on this site are from companies from which TechnologyAdvice receives compensation. This compensation may impact how and where products appear on this site including, for example, the order in which they appear. TechnologyAdvice does not include all companies or all types of products available in the marketplace.

      ×