There is a new report on a serious piece of malware called Skeleton Key that allows Active Directory logins using a single factor (i.e. password) to be bypassed. This malware, when active on a domain controller, allows a malicious user to log in as any user without impacting normal user access (so it isn’t readily detectable). This can be used for both local authentication as well as remote access such as VPNs and webmail.
This threat allows the hacker to use any password to log in successfully to any account, regardless of privilege, from user to admin. While the current version does not survive a reboot of the domain controller, it would seem to be only a matter of time before it is persistent (and also likely that Microsoft will issue some sort of patch).
Importantly, the primary mitigation at this point is to implement multi-factor authentication. By implementing 2FA, you prevent the ability to bypass the password login and prevent the malware from accomplishing its goal even if it is present. While local logins may still be threatened, remote access is a much larger threat and should be the primary concern.
This is also an example of where you should ensure that your 2FA can’t be bypassed. In this case, 2FA isn’t implemented, but if the implementation wasn’t complete or has gaps (such as the admin can still log in remotely with his password even though all the users must have 2FA), you would still be vulnerable. Holistically looking at your network is always important.
Remote access threats are the primary focus of Green Rocket Security. Our products provide simple, cost-effective solutions for 2FA.