People from Dell SecureWorks CTU have come across new malware, called Skeleton Key. This malware is able to bypass the passwords that enable single-factor authentication and can cause great discontent, due to the accessibility issues that emerge. The malware cannot survive reboot and lacks persistence, but it is still of major importance.
Single-factor authentication is just not enough nowadays, as it constantly turns out over and over again. The recent detection of “Skeleton Key” malware by Dell SecureWorks Counter Threat Unit (CTU) highlights the vulnerabilities of passwords that do not use a second authentication method.
Even though this malware lacks persistence and does not survive after the computer has been rebooted, it is still a major concern to users who may watch their credentials being intercepted and unauthorized access being granted without their full consent. The discovery took place during a check at a customer’s network and the revelation was intriguing. Without requiring admin access to the network, it is plausible for hackers to login as plain users and do their job without anyone noticing.
The malware is deployed as an in-memory patch and requires redeployment every time the computer restarts. Nevertheless, it is still a threat and it can cause great problems with the access rights that are provided without any additional security layering. In fact Don Smith, who is director of security for Dell SecureWorks states:
“I don’t think it was a mistake [by the attackers]. The people concerned have the capability of making it persistent. The lack of persistence characterizes the stealthy nature of this operation. If you make it persistent over a reboot, you have to leave something behind in the registry or elsewhere that will make it restart. This is super stealthy and this minimizes their footprint. They rely on their foothold elsewhere in the network, and jump in every time they need to.”
According to the prediction of Don Smith, this is not a one-time phenomenon; instead, we are looking into a long-term cyber-espionage scheme that might compromise a lot of servers and might be kept in the dark:
“There is a lot of information in the victim organization they’re looking for, and they want to maintain as low a profile as possible to evade discovery. All the espionage activity is carried out as an ordinary user. The challenge as a defender is the need to look for anomalous user behavior, which isn’t all that simple a task.”
So, in their attempt to avoid having their true intentions revealed, perhaps the people behind the “Skeleton Key” malware remain on the low and do not engage in more drastic actions that would be instantly fought back.
Top/Featured image courtesy of Dell SecureWorks