Skeleton Key Malware: a New Threat to Internet Security
According to a recent report from the researchers of Dell SecureWorks Counter Threat Unit, any Active Directory (AD) systems that use single-factor (password-only) authentication is under threat by a newly discovered malware which is capable of bypassing any authentication. The researchers have termed this newly uncovered malware as the “Skeleton Key”.
The group of researchers has published an analysis of the malware explaining attack protocol of the Skeleton Key. According to the analysis, the malware is initiated as an in-memory patch on the AD domain controllers of the victim. Skeleton Key allows threat actors with physical access to login and unlock the compromised AD domain controller’s user authentication system with the help of this special authentication bypass.
Since Skeleton Key can only be deployed with the proper domain administrator credentials, the analysis stated that login credentials stolen from acute servers, administrators’ terminals, and the affected domain controllers are used by the attackers for deploying Skeleton Key.
To prevent this malware attack, Dell SecureWorks has designed a counter protocol for organizations:
All remote access solution including VPNs and remote email should pass through Multi-factor authentication. Threat actors will not be able to bypass single-factor authentication using the credentials stolen from targeted servers.
Skeleton Key deployment on workstations and servers, including AD domain controllers could be detected by a process creation audit trail.
Organization should keep an eye on AD domain controllers and Windows Service Control Manager Events for any unpredicted service installation events.
The discovery of Skeleton Key once again reminds us about the importance of knowing about the devices under the enterprise networks, mentioned by Pwnie Express CEO Paul Paget in an email sent to eSecurity Planet. He also stated the fact that Hackers only can deploy malware attack when they have a strong grip over the network. Paget reminded that hackers get the opportunity to exploit any part of the network due to a compromised or rogue device on the network. So the first step of preventing this malware attack should be to keep unsecured or compromised devices off the network.
NordVPN to keep you safe
NordVPN is a very powerful security tool to keep you safe from any possible online attacks over the network. One of the key features is the “Strict No Logs Policy + Tor over VPN”. This feature allows the users to remain 100% anonymous online without any log of the activities. It has a unique Tor over VPN solution that sends encrypted traffic over the Tor network. From there on it is re-routed around the world making it completely impossible to track back to the source. More importantly, there is no record kept on this end since there are no logs. And if you are in need of even more privacy and security, NordVPN provides DoubleVPN service, a unique double encryption system. NordVPN locks down inbound and outbound data using a two-node server link. It uses military-grade AES-256-CBC double encryption. So if you are concerned about your security on internet, you should really be considering to use NordVPN.