Protecting your data from Skeleton Key malware attacks is essential to maintaining a healthy network. A new breed of attacks bypasses standard authentication, granting hackers access to systems without the need for a password.
About Skeleton Key Attacks
Skeleton Key attacks exploit weaknesses in Microsoft Active Directory systems, granting attackers access to practically every network service that relies on Active Directory for authentication. The malware can assume any network identity without knowing any passwords. Skeleton Key reportedly causes no problems for authorized users of infected systems, so attacks might go unnoticed for a while, after infection.
Initial reports of Skeleton Key malware suggest attack does not persist after an infected server reboots, making it easy to remove quickly the threat once detected. Of course, prevention offers the best way to defeat Skeleton Key attacks, so take a few simple precautions:
• Safeguard Your Servers. Perform a thorough security review to make sure your domain controllers and other systems using Active Directory have as many physical and virtual restrictions as possible. Only users who need access to particular network resources should have access to them. Physical security might mean securing servers inside a locked equipment cabinet or room.
• Restrict User Accounts. Threats can enter your network through administrator workstations that access email and other Internet resources. Having administrator credentials gives malware a head start toward its mission. To reduce the exploitation of administrator logins, managers should use separate accounts for administrative functions and general duty.
• Use Two-Factor-Authentication. Traditional password authentication has become compromised to the extent that business should require two-factor authentication for all logins. Two-factor authentication defeats Skeleton Key attacks and eliminates most problems associated with password theft, user spoofing, and hijacks.
Recognizing Skeleton Key Events
Traditional intrusion detection schemes do not catch Skeleton Key attacks because they don’t initiate network activity. According to Dell, however, you can detect the presence of Skeleton Keys by looking for replication errors using Microsoft tools or third-party utilities.
Another method for uncovering Skeleton Keys calls for evaluating the use of PsExec.exec on Active Directory servers. Skeleton Keys often use infected PsExec executable files to become resident in memory. A specialist from Stealthbits reports that log files and system audits can often uncover PsExec irregularities that can warn administrators of a Skeleton Key attack.
Until you beef-up user authentication on your networks, Skeleton Keys promise to present a threat from outside and within. By taking steps you take to harden your systems through restricted access and robust authentication, you can prevent damages caused by Skeleton Key malware.