“Skeleton Key” Malware: A Case for Protecting Privileged Accounts

February 5, 2015 John Worrall

In early 2014, a global organization headquartered in London discovered a terrifying new piece of malware in its IT systems. Dubbed the “Skeleton Key” for its ability to “unlock” and provide privileged access to virtually every single employee account within an enterprise. The powerful malware strain allows cybercriminals to bypass Active Directory (AD) systems that only implement single factor authentication – or in other words, systems that rely on passwords alone for security.

A post-mortem of the first reported Skeleton Key cyber attack reveals the attackers resided in the network, without detection, for more than two years in an ongoing cyber espionage operation. Already on the company’s network via a remote access Trojan (RAT), the attackers stole legitimate credentials that gave them full, unfettered access. Then, by deploying the Skeleton Key malware, they were able to remotely carry out the rest of their attack.

The Skeleton Key purposely lacks persistence. The malware must be redeployed when a domain controller is rebooted. This intentional lack of persistence most likely indicates the stealthy nature of this particular operation. If it was made persistent over a reboot, the malware would leave behind a footprint, increasing the chance of detection. The hackers were clearly out for specific information and chose to maintain a low profile to evade discovery in order to obtain it.

Researchers believe the attackers have used Skeleton Key on other enterprises. One of the biggest indicators for this is the distinctive password structure used by the attackers when choosing logins for targeted systems. Passcodes would include the name of the organization’s Active Directory domain, followed by an “@” symbol and a code name for the company. This would not be necessary if only one single victim had been targeted.

The Skeleton Key has created waves in recent weeks since any organization using Active Directory could be a potential target. However, it’s important to remember that in order for attackers to utilize Skeleton Key and install malware on a domain controller, they first have to compromise the domain administrative credentials. If your organization has controls in place that isolate, monitor and control privileged account sessions, or utilize one-time passwords, attackers will not be able to take control of these admin credentials – which in turn prevents them from deploying Skeleton Key. Even if attackers are somehow able to circumvent all of those controls and utilize the malware, deployed behavioral analytics tools that detect anomalous user behavior will help to quickly identify and alert on a similar attack.

As frightening as the Skeleton Key may seem, we would argue that it once again comes down to protecting privileged credentials. If attackers are not able to exploit these credentials in the first place, they will be unsuccessful in deploying Skeleton Key malware in your network environment.

To learn more about how to get started on securing privileged accounts and credentials, check out the CyberArk Privileged Account Security Solution.

Previous Article
NOTICE: Investigators Warn of Increase in Service Account Exploits
NOTICE: Investigators Warn of Increase in Service Account Exploits

“Most companies expect service accounts to be used only internally, so they keep the default passwords…[but...

Next Article
The Privilege Escalation Cycle and Its Role in Russia’s Anunak Cyber Attack
The Privilege Escalation Cycle and Its Role in Russia’s Anunak Cyber Attack

Researchers from Russian cyber investigations firm Group-IB and Dutch security firm Fox-IT recently publish...