TECH

'Skeleton Key' Malware Unlocks Key Parts Of The 'Secure' Internet

21/01/2015 11:19 GMT | Updated 21/01/2015 11:59 GMT
CSA Images/Printstock Collection via Getty Images

Security researchers have discovered a "Skeleton Key" malware which has the potential to unlock key parts of the supposedly-secure internet.

The flaw lets hackers bypass password blocks on Active Directory (AD) systems -- a type of security infrastructure commonly used on Windows Server setups.

AD systems that use single-factor (password-only) authentication are at risk from the new bug, named Skeleton Key, which was found by the Dell SecureWorks Counter Threat Unit.

"Skeleton Key's authentication bypass also allows threat actors with physical access to login and unlock systems that authenticate users against the compromised AD domain controllers," the team said.

That means that unless security teams patch and fix the issue - or implement two-factor authentication - thousands of enterprise and business networks could be at risk from catastrophic hacks, like those seen at Sony Pictures late last year. This particular malware is useful particular for avoiding detection - once used there is no obvious way for employees to tell a hacker is not a genuine user - though there are caveats. The malware has to be deployed every time the network reboots, and only works on certain systems.

The 'good' news is that in order to exploit the threat, hackers already need to have a 'foothold' on the network.

What that means is that if admins can keep their networks watertight in the first place, they should be able to negate the threat while working to patch the flaw.

Pwnie Express CEO Paul Paget told eSecurity Planet:

"Hackers' ability to use the malware is reportedly dependent on them having an existing foothold in the network."

"This foothold, which is often a result of a compromised or rogue device on the network, potentially unlocks access to parts of the network that they can exploit. ... The first step to defending against this new malware is keeping unsecured or compromised devices off the network."