In this post, we are going to take a look at some Credential Access Techniques used in Cybercrime. The goal is to give you a view on the types of attacks so that you can up your cybersecurity posture.
Credential Access Techniques in Cybercrime
These 8 techniques form a crucial component of the attack lifecycle, often leading to more significant breaches and system compromises.
Brute Force Attacks
Adversaries primarily use brute force attacks when passwords are unknown or when they have obtained password hashes.
These attacks involve systematically guessing the password through a repetitive or iterative mechanism.
This can either be an interaction with a service that validates these credentials or an offline attack against previously acquired credential data like password hashes.
In practice, brute forcing credentials can occur at various stages of a breach.
I’ve seen instances where adversaries attempted to brute force access to valid accounts within a victim’s environment.
This is often leveraged by information gathered from other post-compromise behaviors such as OS Credential Dumping, Account Discovery, or Password Policy Discovery.
- Hide anything in everything
- Hack and Leak Crime
- Supply Chain Attacks: Why Your Vendors Could Be Your Biggest Risk
- Cybersecurity Board Communication: How to Engage with Impact
- The Cyber Threat Intelligence Capability Maturity Model (CTI-CMM)
Adversary-in-the-Middle Attacks
Adversary-in-the-Middle attacks1 represent a more sophisticated approach where attackers position themselves covertly between a user and a service.
In some cases, attackers use these methods to intercept two-factor authentication codes.
Password Guessing and Spraying
Password guessing and password spraying2 are variations of brute force attacks but with specific nuances.
- Password guessing relies on exploiting common passwords or making educated guesses based on available user information.
- On the other hand, password spraying involves using a single common password against multiple accounts before trying another password. This method reduces the likelihood of triggering account lockouts.
Cracking Passwords
Password cracking involves the use of tools to decode encrypted passwords obtained from data breaches.
This technique requires significant computational resources and sophisticated algorithms.
Attackers often use methods like rainbow tables or leverage advanced GPUs to expedite the cracking process, making it possible to decrypt even complex passwords quickly.
Credential Stuffing by Leveraging Previous Breaches
Credential stuffing is another method I’ve encountered, where attackers use previously breached credentials on different websites.
This technique exploits the common practice of password reuse across multiple platforms. By using known username-password combinations, attackers can gain unauthorized access to multiple accounts.
Extracting Credentials from Stores and Managers
Attackers often target stores and managers where credentials are saved3. For instance, extracting credentials from keychains on macOS and securityd memory, or exploiting vulnerabilities in Windows Credential Manager and password managers.
These tools, while designed for security, can become targets themselves if not adequately protected.
Cloud Secrets Management Stores
With the increasing adoption of cloud services, cloud secrets management stores have become a new target for cybercriminals.
Attackers compromise these services, which are intended to manage and safeguard cloud credentials, to gain access to a wide array of cloud-based resources.
Exploitation for Credential Access
Exploitation for credential access involves manipulating software processes or memory. This includes forced authentication attacks that trick a service into authenticating a malicious request4 and forging web credentials by creating fake login prompts.
Additionally, stealing web cookies and SAML tokens can provide attackers with session authentication, allowing user impersonation.
Input Capture Techniques
Attackers prevalently use keylogging, GUI input capture, and web portal capture as input capture techniques.
They range from recording keystrokes to capturing actions on user interfaces and creating fake web pages for user input.
Credential API hooking, a more advanced technique, involves intercepting API calls to capture credentials, often going undetected by traditional security measures.
Keylogging
Keylogging is perhaps one of the most well-known input capture methods.
This technique involves recording every keystroke made by a user on their keyboard. Keyloggers can be hardware-based or software-based.
Attackers use hardware variants by plugging physical devices into a computer, and they deploy software keyloggers as malicious programs that covertly install themselves on the victim’s system.
The danger of keyloggers lies in their ability to capture sensitive information like usernames, passwords, credit card numbers, and personal messages.
GUI Input Capture
GUI (Graphical User Interface) input capture is a more sophisticated technique. It involves capturing user input through graphical elements on the screen, such as mouse clicks and screen taps, in addition to keyboard inputs.
This method can capture information entered into virtual keyboards, on-screen numpads, or through drag-and-drop actions, which traditional keyloggers might miss.
Web Portal Capture
Web portal capture is a technique where attackers create counterfeit web pages to mimic legitimate websites.
I often see attackers tricking users into entering their credentials into fake portals, making them believe they’re logging into their actual accounts, a method commonly employed in phishing attacks.
I remember an incident where attackers created a fake banking website to capture credentials, making it look remarkably similar to the real bank’s login page.
Unsuspecting users would enter their login details, which were then sent directly to the attackers Telegram channel.
Credential API Hooking
Credential API hooking is a more technical and stealthy approach. In this method, cybercriminals intercept the calls made by applications to APIs (Application Programming Interfaces) that handle credentials.
By ‘hooking’ into these API calls, attackers can extract sensitive data directly from the application or service, often bypassing traditional security measures.
- https://techcommunity.microsoft.com/t5/microsoft-sentinel-blog/identifying-adversary-in-the-middle-aitm-phishing-attacks/ba-p/3991358 ↩︎
- https://www.csoonline.com/article/652668/iranian-cyberspies-target-thousands-of-organizations-with-password-spray-attacks.html ↩︎
- https://www.praetorian.com/blog/how-to-detect-and-dump-credentials-from-the-windows-registry/ ↩︎
- https://learn.microsoft.com/en-us/defender-for-identity/credential-access-alerts ↩︎