While phishing and network attacks remain the most common hacks, old-fashioned system hacking is still a threat to enterprises.
Credential dumping is when a hacker uses exploits to expose authentication credentials that they can use or sell.
Storing credentials
When we talk about authentication, we typically discuss identity verification from the outside in, a specific paradigm in which we can offload significant responsibility to end users. This is not so when securing authentication credentials.
Usernames, passwords, and PINs must be stored somewhere, usually in a few specific places. Larger application and system-wide credentials (particularly those associated with online accounts) often exist in databases. System passwords, such as those with local access to a machine or network, are stored on a local database or filesystem.
Credential dumping triggers a release of these passwords so hackers can steal them for further use. In both cases (databases or local storage), the hacker uses some sort of leverage (like a bug) to force the exposure of password information (called a "dump").
Common sources from which a credential dump can be triggered include:
Database dump: A hacker triggers the exposure of critical tables from a database containing user authentication information. Typical approaches include MySQL injections or malformed URLs, like those used in the recent Log4Shell exploit of Java servers. Database dumps (if the database manager is practicing good security hygiene) include hashed passwords over plaintext, which means the attacker still has to crack the hashing algorithm.
Security Accounts Manager (SAM): SAM is a database file used on Windows since XP to authenticate system users. It is usually encrypted, but like a database dump, once in a hacker's possession, they can take their time breaking the encryption.
Local Security Authority (LSA): LSA handles local authentication and security policies and utilizes an area in memory called "LSA Secrets" that protects authentication credentials. This storage area is typically encrypted.
Active Directory: Active Directory supports several kinds of authentication, from user login to certificate management and federated authentication services. Authentication credentials are stored in an Active Directory database.
All of these credential storage locations use hashing and/or encryption. If hackers steal the database, they still have to penetrate the encryption.
An additional, more insidious form of credential dumping can steal plaintext passwords in real-time. Since user credentials have to live in RAM for specific and critical operating system tasks, the hacker can exploit some components and dump a password directly to a terminal or text file.
Common attacks that can lead to a credential dump include:
Zero-day exploits: Zero-day exploits are those that have just been found, meaning they are not patched. Hackers with knowledge of zero-day bugs in systems may leverage them to gain admin access to a piece of software or system.
Unpatched software: A zero-day exploit at least gives software developers and admins an excuse since it's brand new. Many hardware, software, and platforms end up unpatched even when critical security updates become available.
Social engineering: If hackers can use email to access an administrator's system, they have full reign to expose passwords. Phishing attacks are typically the front-line for most hacks, and can serve as the first sign of further attacks.
According to MITRE ATT&CK, several popular and widespread utilities are used for credential dumping, including the trendsetting and open-source mimikatz utility.
Why credential dumping is a major problem
Any attack that exposes system credentials presents a significant problem to overall system security and integrity. Dumping provides an additional issue in that these attacks use multiple avenues to access credentials in ways system management or users may never know.
Common problems include:
Total system or account control: Dumping local security credentials means losing control of that system. Following that, the hacker is free to install malware, place monitoring software that doesn't register as malware, or use the computer as a zombie machine in a large botnet.
Lateral system movement: In a system of network computers, a hacker with local security or Active Directory credentials can move throughout the network with the same privileges and authority as the associated user. One of the critical components of an Advanced Persistent Threat (APT) is the ability to move laterally through a network to attack other systems.
Business account phishing attacks: If the hacker gains access to credentials that are shared or reused across enterprise accounts, they have plenty of leeway to use those accounts to, for example, send emails or direct messages as a user throughout an organization to steal other credentials.
The credentials black market: The worst part of a database dump is the propensity of hackers to sell databases, cracked or uncracked, on the dark web. Once these databases are in the wild, these credentials will be signed up for random services or serve as targets for password spraying attacks within a short time.
How to prevent credential dumping attacks
Prevention involves a more diverse set of best practices compared to narrow attacks like password guessing or phishing. In some cases, dumping attacks can come through vectors that admins don't even know about.
Companies should follow every possible security practice necessary to prevent the issue. Most important practices to implement include:
Patch operating systems and network software: Always patch hardware and software as soon as security alerts come out. These patches are almost always released on the tail end of a security breach or zero-day exploit, and must be installed.
Force use of unique credentials: If an employee uses the same credentials across several platforms or systems, a dump will render all those accounts vulnerable. A crafty hacker can use those credentials, try them across these platforms, and essentially take control of them. By forcing the changing of credentials with unique passphrases, you can reduce the chance of a credential dump affecting other systems.
Secure administrator passwords: Administrator passwords are the keys to the kingdom. Most security experts recommend using a local admin password solution on top of other advanced security. These credentials are best stored off public networks and, where possible, tied to physical media authentication tools (like authentication keys).
You can take a few effective steps on the user side to reduce the impact of a credential dump should it lead to hackers gaining access to the system:
Force MFA for all authentication: While MFA will most likely not stop a hacker who has snuck into a system via a zero-day, it can halt outside attacks. MFA can halt a hacker in their tracks if they attempt to move laterally to a system that requires a secondary authentication factor.
Use passwordless authentication: If someone steals a password from a local system, does passwordless help? Yes and no. Passwordless is more of a solution for software and platforms, and they essentially eliminate the weakness of a password as it relates to overall network or app security. Like MFA, utilizing passwordless authentication can fence in hackers attempting to leverage dumped credentials.
Operate using principles of least privilege and zero-trust: Most mission-critical systems in the industrial and government sectors are turning to PoLP and zero-trust specifically to minimize the impact of a vulnerable user account. Depending on your organization's work and the data processed, this might be the right path.
User account security with 1Kosmos
No system is 100% secure. As hackers dig into exploits that could expose databases or even credentials stored in RAM, there is a hard limit as to what an authentication solution may accomplish to prevent credential dumping.
Good authentication security can prevent common threats that stem from dumping.
1Kosmos helps with such security:
SIM binding: 1Kosmos uses SMS verification, identity proofing, and SIM card authentication to create solid, robust, and secure device authentication from any employee's phone.
Identity-based authentication: 1Kosmos uses biometrics to identify individuals through credential triangulation and identity verification.
Cloud-native architecture: Flexible and scalable cloud architecture makes it simple to build applications using standard API and SDK.
Identity proofing: 1Kosmos verifies identity anywhere, anytime and on any device with over 99% accuracy.
Privacy by design: 1Kosmos protects personally identifiable information in a distributed identity architecture and the encrypted data is only accessible by the user.
Private and permissioned blockchain: 1Kosmos protects personally identifiable information in a private and permissioned blockchain, encrypts digital identities, and is only accessible by the user. The distributed properties ensure no databases to breach or honeypots for hackers to target.
Interoperability: 1Kosmos can readily integrate with existing infrastructure through 50+ out-of-the-box integrations or via API/SDK.
