Single-Factor Authentication: Vulnerable to New Malware & The Same Old Threats
A new malware targets Active Directory systems protected by only a password (single-factor authentication). Dell SecureWorks Counter Threat Unit (CTU) found discovered the malware dubbed ‘Skeleton Key’ that is deployed as an in-memory patch on a victim’s Active Directory domain controllers, allowing attackers to authenticate as any user, as DarkReading.com reports.
The Skeleton Key malware allows attackers to log into any remote access services using a password of their choice, giving them access undetected by users and administrators alike, as they don’t have to steal or change passwords, nor does their login appear to be unauthorized.
Of course, the weird thing is, the malware requires domain administrator credentials for deployment, which begs the question of why the malware need to be deployed if they already have access to everything. It could potentially be a way to carry out a larger, mass attack, enlisting the help of multiple attackers targeting larger enterprises that may use Microsoft’s Active Directory to manage their users and computers.
Since this malware targets Active Directory systems that only use single-factor authentication, deploying two-factor authentication for any AD or administrator logins can stop the spread of malware. As Dell reports:
Skeleton Key requires domain administrator credentials for deployment. CTU researchers have observed threat actors deploying Skeleton Key using credentials stolen from critical servers, administrators' workstations, and the targeted domain controllers.
By protecting any accounts that allow access to your Active Directory service, including servers, administrators and domain controller logins, you can cut down on the risk of an attacker getting and allowing unfettered access to your data and environments. You can even use your existing Active Directory server to synchronize and enroll users and groups in Duo Security’s two-factor authentication solution (technical details here), one of our many user provisioning methods offered.
Duo Security also protects SSH sessions and UNIX logins to ensure that your server sessions are only accessed by authorized engineers, administrators and other users.
Logins protected only by single-factor authentication aren’t just at risk of being targets for this type of malware, however, low-tech methods of phishing, social engineering and brute-force/password guessing are all ways in which criminals can easily steal your password and gain access to data remotely.
Learn more about in our Two-Factor Authentication Evaluation Guide.