Early last year, a global organisation with its headquarters in London discovered something remarkable yet terrifying on their IT systems, Forbes reports. It would later be dubbed the Skeleton Key, due to its ability to provide almost unfettered access to every single employees’ corporate account. As Don Smith, technology director at Dell SecureWorks, told Forbes, this was “ownership with a capital O”, representing one of the most startling cases of digital espionage he has seen in more than 20 years in the security business. “Be afraid,” he added.
The Skeleton Key was initially installed as a patch on the victim’s Active Directory domain controllers, which typically handle security and authentication in Microsoft MSFT -0.3% environments. This was possible because the hackers already had access to some systems on the network. The attackers could then use their key to bypass authentication for tools managed by Active Directory, choosing their own passwords to compromise systems, whilst employees continue to access their accounts as before.
In the case of the London-based organisation, an IT administrator spotted an anomalous event and asked SecureWorks to investigate. The private cyber sleuths found the key by probing the communications method used by the hackers’ malware to inject the Skeleton Key.
Despite its unique qualities, the Skeleton Key had some flaws. On its own, it wasn’t “persistent”, as it would be deleted upon reboot of those Active Directory systems. According to an advisory document from Dell SecureWorks to its customers, seen ahead of publication by Forbes, it appeared the attackers could only tell they were locked out when their attempts to sign in as an employee failed, indicating they weren’t able to set up an entirely effective command and control infrastructure. Furthermore, only those systems that ran off of Active Directory were affected.
Not that any of that mattered much in the 2014 attack. As they already had a lightweight Remote Access Trojan on the target’s network, the hackers used that piece of malware to get the Skeleton Key back up and running. Given the organisation’s webmail and VPN access used Active Directory, they again had free reign to spy on the victim and hoover up whatever data they saw fit. Meanwhile, employees could continue to access their corporate accounts without any hint the hackers might have stolen their identities.
There have been various indications the hackers have used their Skeleton Keys on other organisations, according to Smith. One big clue, said Smith, was in the format the hackers chose their logins for victims’ machines. They would use the name of the organization’s Active Directory domain followed by an ‘@’ symbol and a codename for the victim – something easily guessable in the case of the London organisation, he added. “Given that password ‘structure’, you could argue this has been deployed elsewhere.”
This variant of the Skeleton Key, called ole64.dll, is not the first either. The original, at least on the London target’s network, dated back to 2012. As three years have now passed since the first Skeleton Key was crafted, it’s likely been used in other scenarios, Smith said.
Anyone using Active Directory should be concerned by such attacks. That includes a significant number of businesses, such is the ubiquity of Microsoft’s creation. No one wants to see their critical authentication processes completely compromised, added Smith. “This could happen to you.”
Any firm that is infected might find it tricky to find the Skeleton Key on the network. An IT team has to look for inconspicuous anomalous activity across their Active Directory use – a much harder task than looking for standard malware. And, as the patch was delivered “in-memory” rather than on the infected server’s disk, it should be even harder to uncover. If this hits an organisation that’s widely using Active Directory, “they’re toast”, Smith added.
Forbes understands UK and US government agencies are interested in SecureWorks’ findings, though no formal discussions have been held about further actions. It’s believed the original Skeleton Key attacks sought information of interest for governments based in eastern Asia, though SecureWorks was not willing to attempt attribution.
Other security experts were suitably impressed by the Skeleton Key. “This is pretty cool. I like the in-memory patching. It’s definitely a cool tool. Specialized, discrete,” said ex-Googler and information security chief at The Intercept publisher First Look Media, Morgan Marquis-Boire. “It’d definitely be useful for compromise of enterprises.”