This week, the Dell SecureWorks Counter Threat Unit (CTU) disclosed that it discovered a strain of malware that can bypass single-factor authentication on Microsoft Active Directory (AD) systems to access various remote access services while authenticated as any user. The research team discovered this malware, dubbed "Skeleton Key", while working on an incident response case, and they published their findings on a blog post today.
The malware itself is interesting, because while it can affect major systems once it's up and running, it has two major flaws that we can see right now:
- One, in order for Skeleton Key to work effectively, the attacker needs to already have domain admin credentials in hand. In that case, there's clearly a problem regardless of whether this malware is deployed, as there's already plenty of opportunity for the attacker to poke around and explore other attack vectors.
- Two, Skeleton Key can't survive a reboot. Theoretically, domain controllers aren't rebooted that often, but this lack of persistence should still be noted.
Rapid7's Tod Beardsley (@todb) took a look at SecureWorks' advisory on Skeleton Key and gave his take on how this malware might be used by an attacker: "A domain administrator account has plenty of opportunity to collect password hashes across the entire domain – if those passwords are weak enough (and most are), they can be cracked offline at the attacker's leisure. My guess is that Skeleton Key is designed to be part of a longer-term access persistence campaign. It feels like a temporary measure to retain access while the business of password cracking happens offline, and the attacker can return later with now-known passwords."
Tod's advice for any organization that finds Skeleton Key present in its environment is to rotate all user and service account passwords -- ideally on the same day -- and to review its access policies for direct AD domain controller logins.
So what else is notable here? Certainly the malware itself has interesting capabilities, and again we urge anyone interested in the analysis to read SecureWorks' excellent and detailed blog post. But we also wanted to applaud the overall approach here. The very fact that the SecureWorks CTU discovered this malware while on incident response for a private organization, and then also shared their analysis with the security community, is an excellent example that hopefully more will follow.
Information sharing in our industry helps us all more easily protect our customers and our data. The fact that the Dell team gave so much specific, meaningful, and actionable detail about this malware and its contextual behavior enables security teams everywhere to be much more effective. Kudos to the Dell SecureWorks CTU for showing how information disclosure strengthens us all, and we hope this is a practice more organizations adopt across our industry.