Skeleton Key

Skeleton Key is a type of malware that, once injected into the LSASS process on a Domain Controller, can manipulate system files such as ole64.dll and msuta64.dll. This malicious software is typically deployed using credentials stolen from critical servers, administrators' workstations, or directly from the targeted domain controllers. After patching, threat actors can use the Skeleton Key password configured at deployment to log in as any domain user, essentially granting them unrestricted access to all accounts within the domain. The malware is often remotely installed on target domain controllers using the PsExec utility and the rundll32 command. In a major security incident, hackers used a digital skeleton key to gain unauthorized access to both personal and enterprise email accounts of government officials hosted by Microsoft. They initially broke into the system using unknown means, stealing the skeleton key which allowed for broad access to email accounts. Notably, this included US Commerce Secretary Gina Raimondo and other State and Commerce Department officials. The exact method of initial intrusion remains undisclosed by Microsoft, but it's clear that the stolen skeleton key provided extensive unauthorized access. This "Skeleton Key" attack represents a new type of direct prompt injection threat that could allow users to bypass ethical and safety guardrails built into generative AI models like ChatGPT. It affects multiple generative AI models tested, including those managed by Microsoft Azure AI, Meta, Google Gemini, OpenAI, Mistral, Anthropic, and Cohere. In response to the breach, Senator Wyden criticized Microsoft’s security measures, particularly highlighting their reported use of an expired encryption token that acted as a “skeleton key” for multiple private accounts.