WEBINAR | A Deep-Dive into 2023 Cyber Threats
Reduce Alert Noise and False Positives
Boost your team's productivity by cutting down alert noise and false positives.
Automate Security Operations
Boost efficiency, reduce burnout, and better manage risk through automation.
Dark Web Monitoring
Online protection tuned to the need of your business.
Maximize Existing Security Investments
Improve efficiencies from existing investments in security tools.
Beyond MDR
Move your security operations beyond the limitations of MDR.
Secure with Microsoft 365 E5
Boost the power of Microsoft 365 E5 security.
Secure Multi-Cloud Environments
Improve cloud security and overcome complexity across multi-cloud environments.
Secure Mergers and Acquisitions
Control cyber risk for business acquisitions and dispersed business units.
Operational Technology
Solve security operations challenges affecting critical operational technology (OT) infrastructure.
Force-Multiply Your Security Operations
Whether you’re just starting your security journey, need to up your game, or you’re not happy with an existing service, we can help you to achieve your security goals.
Detection Investigation Response
Modernize Detection, Investigation, Response with a Security Operations Platform.
Threat Hunting
Locate and eliminate lurking threats with ReliaQuest GreyMatter
Threat Intelligence
Find cyber threats that have evaded your defenses.
Model Index
Security metrics to manage and improve security operations.
Breach and Attack Simulation
GreyMatter Verify is ReliaQuest’s automated breach and attack simulation capability.
Digital Risk Protection
Continuous monitoring of open, deep, and dark web sources to identify threats.
Phishing Analyzer
GreyMatter Phishing Analyzer removes the abuse mailbox management by automating the DIR process for you.
Integration Partners
The GreyMatter cloud-native Open XDR platform integrates with a fast-growing number of market-leading technologies.
Unify and Optimize Your Security Operations
ReliaQuest GreyMatter is a security operations platform built on an open XDR architecture and designed to help security teams increase visibility, reduce complexity, and manage risk across their security tools, including on-premises, clouds, networks, and endpoints.
Blog
Company Blog
Case Studies
Brands of the world trust ReliaQuest to achieve their security goals.
Data Sheets
Learn how to achieve your security outcomes faster with ReliaQuest GreyMatter.
eBooks
The latest security trends and perspectives to help inform your security operations.
Industry Guides and Reports
The latest security research and industry reports.
Podcasts
Catch up on the latest cybersecurity podcasts, and mindset moments from our very own mental performance coaches.
Solution Briefs
A deep dive on how ReliaQuest GreyMatter addresses security challenges.
White Papers
The latest white papers focused on security operations strategy, technology & insight.
Videos
Current and future SOC trends presented by our security experts.
Events & Webinars
Explore all upcoming company events, in-person and on-demand webinars
ReliaQuest ResourceCenter
From prevention techniques to emerging security trends, our comprehensive library can arm you with the tools you need to improve your security posture.
Threat Research
Get the latest threat analysis from the ReliaQuest Threat Research Team. ReliaQuest ShadowTalk Weekly podcast featuring discussions on the latest cybersecurity news and threat research.
Shadow Talk
ReliaQuest's ShadowTalk is a weekly podcast featuring discussions on the latest cybersecurity news and threat research. ShadowTalk's hosts come from threat intelligence, threat hunting, security research, and leadership backgrounds providing practical perspectives on the week's top cybersecurity stories.
April 25, 2024
About ReliaQuest
We bring our best attitude, energy and effort to everything we do, every day, to make security possible.
Leadership
Security is a team sport.
No Show Dogs Podcast
Mental Performance Coaches Derin McMains and Dr. Nicole Detling interview world-class performers across multiple industries.
Make It Possible
Make It Possible reflects our focus on bringing cybersecurity awareness to our communities and enabling the next generation of cybersecurity professionals.
Careers
Join our world-class team.
Press and Media Coverage
ReliaQuest newsroom covering the latest press release and media coverage.
Become a Channel Partner
When you partner with ReliaQuest, you help deliver world-class cybersecurity solutions.
Contact Us
How can we help you?
A Mindset Like No Other in the Industry
Many companies tout their cultures; at ReliaQuest, we share a mindset. We focus on four values every day to make security possible: being accountable, helpful, adaptable, and focused. These values drive development of our platform, relationships with our customers and partners, and further the ReliaQuest promise of security confidence across our customers and our own teams.
More results...
Key Points
ReliaQuest is observing threat actors relying less and less on rudimentary tactics, such as brute-force attacks, to acquire account credentials. To gain credentials that will allow them to target additional systems and applications, they’re opting for more sophisticated methods. One method is browser credential dumping, which accounted for 21% of the credential-access techniques we observed across our customer base in 2023, in elevated incidents.
Browser credential dumping is a malicious act in which a hacker attempts to gain access to personal information, such as usernames and passwords, or steal a web browser’s cookies. This technique is typically observed after a threat actor/group has obtained initial access through phishing or drive-by download, or by exploiting a vulnerability that provides remote code execution (RCE) capabilities on the target machine.
This method targets the convenient, user-friendly feature that allows web browsers to save credentials locally on a machine’s file system so they don’t need to be entered manually every time. Threat actors are accessing the storage locations and exfiltrating or decrypting the contents. This attack method can be used against any sector or location; all entities should consider themselves at risk. Security researchers have noted varied use of the technique, such as:
This report describes browser credential dumping and its potential impact, illustrating the threat with a case study and outlining methods for detection and protection. By understanding this threat, defenders can assess their own exposure, adapt defensive strategies, and significantly reduce their risk of being targeted and exploited.
In this section, we examine how attackers perform browser credential dumping, which varies by OS and tools.
On machines running Microsoft Windows, web browsers store cookie data and login information, such as usernames and passwords, in specific directories on the file system. For example:
C:\Users\<UserName>\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies
C:\Users\<UserName>\AppData\Local\Google\Chrome\User Data\Default\Login Data
C:\Users\<UserName>\AppData\Local\Microsoft\Edge\User Data\Default\Network\Cookies
C:\Users\<UserName>\AppData\Local\Microsoft\Edge\User Data\Default\Login Data
C:\Users\<UserName>\AppData\Local\Mozilla\Firefox\Profiles
Regardless of the browser, the directories are fairly standardized, which has enabled even lesser-skilled threat actors to automate the access of these files. For instance, an attacker may use a phishing message to trick an unsuspecting user into executing and running an embedded script that uses PowerShell or the command prompt in the background to access credential files.
The script can dump the files’ contents into a secondary file, which the threat actor can then exfiltrate to crack offline or decrypt on the machine itself. They can do so through either an ingressed tool set or built-in functions, such CryptUnprotectData. For environments running Windows, a main consideration should be whether the business is able to enforce limited use or completely block the usage of this functionality. Another key consideration should be using application control through group policies, which are outlined in more detail in the final section of this report.
On machines running MacOS, web browsers use similar storage methods to those employed by Windows machines for application/website user credentials and cookie data. Common storage locations for MacOS credential file directories include:
/Library/Application Support/Google/Chrome/Default/Cookies
/Library/Application Support/Google/Chrome/Default/Login Data
/Library/Application Support/Firefox/Profiles/*.default/cookies.sqlite
/Library/Application Support/Firefox/Profiles/*.default/login.json
/Library/Safari/LocalStorage/*, ~/Library/Cookies/*
/Library/Safari/Form Values/*
Unlike Windows, MacOS also uses the Keychain function to store credentials. MacOS has three different types of Keychains:
Most significantly for browser credential dumping, threat actors can directly interact with the Login Keychain through the Keychain Access application, which uses a graphical interface, or, more commonly, through the terminal command-line interface by invoking the “security” framework commands. Threat actors can dump the Keychain by simply extracting the files through such commands as “copy,” “cat,” and “zip.” However, this method requires the threat actor to enter valid credentials for an authenticated account on the machine, previously gained via an alternative method.
An attacker can also use the aforementioned security commands, specifically “dump.keychain,” to extract Keychain credentials. This will typically be executed with the Sudo qualifier, which forces MacOS to run the command as an administrator.
Finally, threat actors can use ingressed tools, such as KeychainDump or Chainbreaker, to hunt for unlocked master keys or extract data from the OSX Keychain. Organizations primarily using MacOS devices should invest in mobile device management (MDM) solutions, such as Jamf, to implement the policies and controls mentioned in the final section of this report, decreasing the impact of this attack method.
Having explained variations in extracting browser credentials from Windows or MacOS devices, we move on to examples of how various categories of tools are used to this end. Open-source tools, command-and-control (C2) frameworks, and information stealer malware (infostealers) enable automation and customization of the extraction process. This frees up the attacker to focus on the remaining tasks involving the configuration and ingress of the tool onto the target machine.
Open-source tools are easily accessible, typically in code repositories, and are free—unlike those available on closed-source platforms that require memberships or subscription fees. Two common open-source tools that enable threat actors to gather web browser credentials are “Lazagne” and “HackerBrowserData.” Both are readily available on GitHub and were created to identify relevant data on a target machine, extract and export the credential information, and—in some cases—give the threat actor the option to decrypt the data. To take advantage of this capability, attackers must ingress the tool onto the target’s machine through various means; phishing attacks and drive-by download are the most common.
Attackers use C2 and post-exploit frameworks to save time on custom development and gain flexibility in attacks as they come packed with multiple modules and functions that can be used across different stages of the attack cycle. The two most notable such frameworks are Cobalt Strike and Metasploit, and browser credential dumping’s value can be maximized within these widely used frameworks. For Metasploit, there are multiple modules within the Post package that can be called upon for browser credential dumping, such as:
post/windows/gather/credentials/chrome
post/windows/gather/credentials/opera
post/firefox/gather/cookies
post/firefox/gather/passwords
post/osx/gather/enum_keychain
With Cobalt Strike, using the “chromedump” command will achieve the same result, as it injects itself into the specified process to recover credential information from Google Chrome.
Infostealers are designed specifically to gather information about a host and credentials; they target various sources, such as password managers, web browsers, file systems, and more. The benefit of using infostealers, from a threat-actor perspective, is that they very quickly gather credentials and enable privileged access that maintains persistence. Examples of infostealers that have incorporated browser credential dumping are RedLine, “Racoon,” and “Lumma” (previously known as LummaC2).
Infostealers have become significantly more prolific in the past year; as detailed in the Threat Forecast section below (a 201% increase in the last 12 months. Infostealers, open-source tools, and C2 frameworks must all be ingressed to the target host and executed by an unsuspecting user.
In the fourth quarter of 2023, ReliaQuest observed an infostealer with ties to Lumma used against a customer in the manufacturing sector. Our analysis revealed that the initial method for the ingress of the LummaC2 infostealer was likely a drive-by download initiated by a redirect when an unsuspecting user visited an affected domain. They were redirected to a MediaFire-hosted download link, which proceeded to download an archived file named Passwrd-2023_Setup.rar.
Sandboxing the file first revealed that a password was required to extract the contents, after which a setup.exe file was extracted. Once setup.exe was executed, it initiated connections to an external IP address, 188.114.96[.]3, and made POST requests to the domain hxxp://ebalkayiu[.]fun/api. That process was likely how the data, including web browser credentials, was exfiltrated.
The targeted machine did communicate with the malicious domain, indicating that the initial payload had been extracted and executed by the unsuspecting user. The process we observed initiating the connection was in the following directory:
C:\<REDACTED>\SOFTWARE\Passwrd-2023_Setup\Setup.exe
The process information within the endpoint detection and response (EDR) solution showed that the malicious extracted file setup.exe had gained a valid signature from VideoLAN, leading to the tool not immediately mitigating the process through blocking and quarantining. Further analysis of the log data from the EDR tool showed events that indicated that files were accessed by Explorer.exe. That had been initiated by CMD.exe for the following file, indicating active extraction of browser credentials from Google Chrome on the targeted machine:
\Users\<REDACTED>\AppData\Local\Google\Chrome\User Data\Default\Login Data
Our quick response and analysis meant that the extracted credentials were not used for any subsequent authentication activity. The client took immediate remediation steps to protect the targeted host and the user: reimaging the host, resetting the credentials of the account, and resetting all sessions.
Using this case study as a learning experience, we can observe which controls helped mitigate the attack, and how the customer could have performed better in their implementation. The customer’s EDR solution helped alert them to the activity, but application control did not block the execution of the malicious process; the setup.exe process spoofed a valid signature. This could be improved with a stricter allowlist for business processes only, instead of blocking unknown application. The effective detection methodology and incident response led to the timely reporting of the activity and remediation via host reimaging and credential resets. That prevented the potentially dumped credentials from being used further, but a potential improvement of remediation steps would be ensuring the user also reset any credentials for which they may have reused their password.
The increasing sophistication of organizations’ auditing practices has led to a rise in tactics designed to avoid detection and blend into normal organizational activities. Threat actors are turning to credential-access methods that enable them to be more covert when conducting reconnaissance, moving laterally, and extracting data without raising alarms. This stealthier approach, which uses tools that automate the attack process, such as infostealers, is likely to persist and become more prevalent in the mid- to long-term future (6 to 18 months) across all sectors.
ReliaQuest’s analysis of incident response and threat intelligence shows a 201% increase in advertisements of infostealer logs on the Russian Market cybercrime marketplace—from approximately 150,000 to 455,000 in the last 12 months. This indicates a rise in the use of compromised credentials, which is supported by data linked to the leaked-credential repository we monitor: In 2023, approximately 6 billion credentials were added to a repository of 30 billion, which is an increase of 20% in a single year. Until organizations implement policy and control measures to significantly decrease the impact of this attack method, credential theft and unauthorized use will remain a significant threat and allow attackers to remain undetected for longer periods, exacerbating the impact of breaches.
Any use of the various techniques reviewed above leads to the generation of various indicators of compromise (IoC). Those can be used for detections and help mitigate the impact of browser credential dumping. Monitoring for file access is essential, as is monitoring for file modifications to the directories highlighted above from unexpected processes. This can be achieved through telemetry from system security logs or an EDR solution.
Additionally, monitoring for command-line and scripting activity, which provide an additional telemetry point for file access/modification by correlating expected commands, is valuable for enhancing detection capabilities. ReliaQuest continuously researches browser credential dumping and the underlying telemetry to develop and deploy a comprehensive detection package for our customers and detect the presence of relevant tools within the environment.
In addition to ensuring adequate logging and implementing detection rules, organizations should consider the following recommendations to mitigate the threat of browser credential dumping.
Get a live demo of our security operations platform, GreyMatter, and learn how you can improve visibility, reduce complexity, and manage risk in your organization.