Key Points

  • Threat actors are using browser credential dumping, and other sophisticated methods, to acquire access to valid accounts without brute-forcing. Browser credential dumping represented 21% of ReliaQuest customers’ incidents involving credential access in 2023.
  • Browser credential dumping can affect entities in any sector or location, whether at the enterprise level or specific to personal users.
  • With adequate detection methods and preventive/mitigative controls, organizations can significantly decrease the impact of browser credential dumping, and reduce the risk of this attack method being used against them.

ReliaQuest is observing threat actors relying less and less on rudimentary tactics, such as brute-force attacks, to acquire account credentials. To gain credentials that will allow them to target additional systems and applications, they’re opting for more sophisticated methods. One method is browser credential dumping, which accounted for 21% of the credential-access techniques we observed across our customer base in 2023, in elevated incidents.

Browser credential dumping is a malicious act in which a hacker attempts to gain access to personal information, such as usernames and passwords, or steal a web browser’s cookies. This technique is typically observed after a threat actor/group has obtained initial access through phishing or drive-by download, or by exploiting a vulnerability that provides remote code execution (RCE) capabilities on the target machine.

This method targets the convenient, user-friendly feature that allows web browsers to save credentials locally on a machine’s file system so they don’t need to be entered manually every time. Threat actors are accessing the storage locations and exfiltrating or decrypting the contents. This attack method can be used against any sector or location; all entities should consider themselves at risk. Security researchers have noted varied use of the technique, such as:

  • “Lapsus$ Group” has used “RedLine” to obtain passwords and session tokens.
  • The “QakBot” (aka QBot) banking trojan can dump credentials from browser data and cookies.
  • “APT31” (aka Zirconium) has been known to use a Python-compiled binary with capabilities for browser credential dumping.

This report describes browser credential dumping and its potential impact, illustrating the threat with a case study and outlining methods for detection and protection. By understanding this threat, defenders can assess their own exposure, adapt defensive strategies, and significantly reduce their risk of being targeted and exploited.

Methodology

In this section, we examine how attackers perform browser credential dumping, which varies by OS and tools.

Windows

On machines running Microsoft Windows, web browsers store cookie data and login information, such as usernames and passwords, in specific directories on the file system. For example:

  • Chrome:

C:\Users\<UserName>\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies

C:\Users\<UserName>\AppData\Local\Google\Chrome\User Data\Default\Login Data

  • Edge:

C:\Users\<UserName>\AppData\Local\Microsoft\Edge\User Data\Default\Network\Cookies

C:\Users\<UserName>\AppData\Local\Microsoft\Edge\User Data\Default\Login Data

  • Firefox:

C:\Users\<UserName>\AppData\Local\Mozilla\Firefox\Profiles

Regardless of the browser, the directories are fairly standardized, which has enabled even lesser-skilled threat actors to automate the access of these files. For instance, an attacker may use a phishing message to trick an unsuspecting user into executing and running an embedded script that uses PowerShell or the command prompt in the background to access credential files.

The script can dump the files’ contents into a secondary file, which the threat actor can then exfiltrate to crack offline or decrypt on the machine itself. They can do so through either an ingressed tool set or built-in functions, such CryptUnprotectData. For environments running Windows, a main consideration should be whether the business is able to enforce limited use or completely block the usage of this functionality. Another key consideration should be using application control through group policies, which are outlined in more detail in the final section of this report.

MacOS

On machines running MacOS, web browsers use similar storage methods to those employed by Windows machines for application/website user credentials and cookie data. Common storage locations for MacOS credential file directories include:

  • Chrome:

/Library/Application Support/Google/Chrome/Default/Cookies

/Library/Application Support/Google/Chrome/Default/Login Data

  • Firefox:

/Library/Application Support/Firefox/Profiles/*.default/cookies.sqlite

/Library/Application Support/Firefox/Profiles/*.default/login.json

  • Safari:

/Library/Safari/LocalStorage/*, ~/Library/Cookies/*

/Library/Safari/Form Values/*

Unlike Windows, MacOS also uses the Keychain function to store credentials. MacOS has three different types of Keychains:

  • The Login Keychain stores user passwords and information.
  • The System Keychain stores items accessed by the OS (typically, items shared among users on a host).
  • The Local Items Keychain is used for items synced with Apple’s iCloud service.

Most significantly for browser credential dumping, threat actors can directly interact with the Login Keychain through the Keychain Access application, which uses a graphical interface, or, more commonly, through the terminal command-line interface by invoking the “security” framework commands. Threat actors can dump the Keychain by simply extracting the files through such commands as “copy,” “cat,” and “zip.” However, this method requires the threat actor to enter valid credentials for an authenticated account on the machine, previously gained via an alternative method.

An attacker can also use the aforementioned security commands, specifically “dump.keychain,” to extract Keychain credentials. This will typically be executed with the Sudo qualifier, which forces MacOS to run the command as an administrator.

Finally, threat actors can use ingressed tools, such as KeychainDump or Chainbreaker, to hunt for unlocked master keys or extract data from the OSX Keychain. Organizations primarily using MacOS devices should invest in mobile device management (MDM) solutions, such as Jamf, to implement the policies and controls mentioned in the final section of this report, decreasing the impact of this attack method.

Tools

Having explained variations in extracting browser credentials from Windows or MacOS devices, we move on to examples of how various categories of tools are used to this end. Open-source tools, command-and-control (C2) frameworks, and information stealer malware (infostealers) enable automation and customization of the extraction process. This frees up the attacker to focus on the remaining tasks involving the configuration and ingress of the tool onto the target machine.

Open-source tools are easily accessible, typically in code repositories, and are free—unlike those available on closed-source platforms that require memberships or subscription fees. Two common open-source tools that enable threat actors to gather web browser credentials are “Lazagne” and “HackerBrowserData.” Both are readily available on GitHub and were created to identify relevant data on a target machine, extract and export the credential information, and—in some cases—give the threat actor the option to decrypt the data. To take advantage of this capability, attackers must ingress the tool onto the target’s machine through various means; phishing attacks and drive-by download are the most common.

Attackers use C2 and post-exploit frameworks to save time on custom development and gain flexibility in attacks as they come packed with multiple modules and functions that can be used across different stages of the attack cycle. The two most notable such frameworks are Cobalt Strike and Metasploit, and browser credential dumping’s value can be maximized within these widely used frameworks. For Metasploit, there are multiple modules within the Post package that can be called upon for browser credential dumping, such as:

post/windows/gather/credentials/chrome

post/windows/gather/credentials/opera

post/firefox/gather/cookies

post/firefox/gather/passwords

post/osx/gather/enum_keychain

With Cobalt Strike, using the “chromedump” command will achieve the same result, as it injects itself into the specified process to recover credential information from Google Chrome.

Infostealers are designed specifically to gather information about a host and credentials; they target various sources, such as password managers, web browsers, file systems, and more. The benefit of using infostealers, from a threat-actor perspective, is that they very quickly gather credentials and enable privileged access that maintains persistence. Examples of infostealers that have incorporated browser credential dumping are RedLine, “Racoon,” and “Lumma” (previously known as LummaC2).

Infostealers have become significantly more prolific in the past year; as detailed in the Threat Forecast section below (a 201% increase in the last 12 months. Infostealers, open-source tools, and C2 frameworks must all be ingressed to the target host and executed by an unsuspecting user.

Case Study

In the fourth quarter of 2023, ReliaQuest observed an infostealer with ties to Lumma used against a customer in the manufacturing sector. Our analysis revealed that the initial method for the ingress of the LummaC2 infostealer was likely a drive-by download initiated by a redirect when an unsuspecting user visited an affected domain. They were redirected to a MediaFire-hosted download link, which proceeded to download an archived file named Passwrd-2023_Setup.rar.

Sandboxing the file first revealed that a password was required to extract the contents, after which a setup.exe file was extracted. Once setup.exe was executed, it initiated connections to an external IP address, 188.114.96[.]3, and made POST requests to the domain hxxp://ebalkayiu[.]fun/api. That process was likely how the data, including web browser credentials, was exfiltrated.

The targeted machine did communicate with the malicious domain, indicating that the initial payload had been extracted and executed by the unsuspecting user. The process we observed initiating the connection was in the following directory:

C:\<REDACTED>\SOFTWARE\Passwrd-2023_Setup\Setup.exe

The process information within the endpoint detection and response (EDR) solution showed that the malicious extracted file setup.exe had gained a valid signature from VideoLAN, leading to the tool not immediately mitigating the process through blocking and quarantining. Further analysis of the log data from the EDR tool showed events that indicated that files were accessed by Explorer.exe. That had been initiated by CMD.exe for the following file, indicating active extraction of browser credentials from Google Chrome on the targeted machine:

\Users\<REDACTED>\AppData\Local\Google\Chrome\User Data\Default\Login Data

Our quick response and analysis meant that the extracted credentials were not used for any subsequent authentication activity. The client took immediate remediation steps to protect the targeted host and the user: reimaging the host, resetting the credentials of the account, and resetting all sessions.

Using this case study as a learning experience, we can observe which controls helped mitigate the attack, and how the customer could have performed better in their implementation. The customer’s EDR solution helped alert them to the activity, but application control did not block the execution of the malicious process; the setup.exe process spoofed a valid signature. This could be improved with a stricter allowlist for business processes only, instead of blocking unknown application. The effective detection methodology and incident response led to the timely reporting of the activity and remediation via host reimaging and credential resets. That prevented the potentially dumped credentials from being used further, but a potential improvement of remediation steps would be ensuring the user also reset any credentials for which they may have reused their password.

Threat Forecast

The increasing sophistication of organizations’ auditing practices has led to a rise in tactics designed to avoid detection and blend into normal organizational activities. Threat actors are turning to credential-access methods that enable them to be more covert when conducting reconnaissance, moving laterally, and extracting data without raising alarms. This stealthier approach, which uses tools that automate the attack process, such as infostealers, is likely to persist and become more prevalent in the mid- to long-term future (6 to 18 months) across all sectors.

ReliaQuest’s analysis of incident response and threat intelligence shows a 201% increase in advertisements of infostealer logs on the Russian Market cybercrime marketplace—from approximately 150,000 to 455,000 in the last 12 months. This indicates a rise in the use of compromised credentials, which is supported by data linked to the leaked-credential repository we monitor: In 2023, approximately 6 billion credentials were added to a repository of 30 billion, which is an increase of 20% in a single year. Until organizations implement policy and control measures to significantly decrease the impact of this attack method, credential theft and unauthorized use will remain a significant threat and allow attackers to remain undetected for longer periods, exacerbating the impact of breaches.

What ReliaQuest Is Doing

Any use of the various techniques reviewed above leads to the generation of various indicators of compromise (IoC). Those can be used for detections and help mitigate the impact of browser credential dumping. Monitoring for file access is essential, as is monitoring for file modifications to the directories highlighted above from unexpected processes. This can be achieved through telemetry from system security logs or an EDR solution.

Additionally, monitoring for command-line and scripting activity, which provide an additional telemetry point for file access/modification by correlating expected commands, is valuable for enhancing detection capabilities. ReliaQuest continuously researches browser credential dumping and the underlying telemetry to develop and deploy a comprehensive detection package for our customers and detect the presence of relevant tools within the environment.

Recommendations and Best Practices

In addition to ensuring adequate logging and implementing detection rules, organizations should consider the following recommendations to mitigate the threat of browser credential dumping.

  • Enforce policies that block users from storing credentials in the web browser, which will significantly decrease the effectiveness of this attack method, provided that the necessary technology is in place to replace the ease of use, such as single sign-on (SSO) for business-related applications.
  • Enforce multifactor authentication (MFA) on business applications to avoid a direct compromise from known credentials. This will provide an extra layer of defense, as attackers will also need to bypass the users’ MFA mechanism, significantly increasing the complexity of the attack method. Furthermore, unexpected MFA requests can serve as an additional warning of a possible credential compromise.
  • Migrate users to offline password managers with highly complex master passwords or use a centralized password vault across the enterprise with SSO and MFA enabled.
  • Train users on the importance of not reusing credentials across different applications. Complying with this key best practice will hinder threat actors from being able to easily pivot to multiple systems/applications by using the same set of credentials.
  • For Windows machines, implement group policies and mechanisms such as AppLocker or Windows Defender Application Control, which restrict the execution of unknown and unexpected applications that aren’t required for business use through a known allowlist approach. This will help combat the execution of infostealers by threat actors looking to extract browser credentials and telemetry data.
  • For MacOS devices, use an MDM platform, such as Jamf, to enforce application control, allowing the execution only of vetted and expected applications; this will have a similar effect on the security posture as the previous recommendation.
  • Restrict command and terminal use for Windows and MacOS devices while adhering to the principle of least privilege, and make applicable only to business-relevant tasks; this will block threat actors’ ability to ingress tools with RCE while not possessing any credentials for authenticated users on the machine.
  • Restricting Windows command usage can be accomplished by only allowing “Internal” commands to be used if necessary and blocking “External” commands that invoke other processes through the revocation of read permissions for the relevant processes. Similarly, restricting Windows PowerShell usage can be accomplished through the use of a strict Set-MpPreference cmdlet policy that switches PowerShell into Constrained Language mode and disables the use of common cmdlets used by attackers.