Common ways to steal data: Clear-text password dumps.

When counting lost records officially reported so far in 2016 in the US, 3.2 out of 4.7 Million were stolen by external attackers (according to Privacy Rights Clearinghouse database). These numbers show that in spite of increased security awareness, bigger budgets, stricter standards and regulations, companies are still easy prey for hackers.

This article explores a way in which hackers steal data once they managed to compromise a company computer or laptop. We will continue to explore other ways to develop a cyber attack once an asset is compromised, in the following blog posts. The premise of this article is the typical scenario where an external attacker manages to execute code as local system on a domain machine, either by gaining access to privileged credentials through social engineering or by exploiting vulnerabilities allowing code execution. The aim of the attacker is to move from the unimportant compromised asset to more important domain machines, to steal information.

The premises

HTTP digest and Simple Authentication Security Layer require passwords in plain text to function. Hence, the OS starting with Windows XP uses a DLL that enables these protocols and holds passwords of current and recent interactive and network sessions stored in clear text, in the memory. Starting with Windows 10 (KB2871997 introduced this for Windows 7, 8 and 2008 R2 and 2012 Server), the storing of passwords in clear text in memory has been removed by default but remained configurable via the registry.

The means

Tools like “mimikatz”, initially designed for ethical hacking and security use cases, can be used to dump passwords from memory in clear text, and there are usually high chances that the list contains valuable domain account credentials which can be used to penetrate more significant assets in the company. More information about this tool can be found here.

Once credentials are retrieved, attackers can use them to connect to domain machines and access information there, looking for valuable data either via network shares or remote desktop connections.

Detection and defense

The use of such tools is hard to detect through AV functionality as source code is available and new versions can easily be compiled, evading AV signature checks. This entire scenario is also difficult to detect via complex IDS systems as there may be no unusual behavior happening on the machine(s) involved. If the attacker does not use privileges to access security systems or make changes to security settings (user accounts, other privileges, etc.), and sticks to going for data in files, IDS tools are very likely to miss such an attack.

The best defenses against this scenario are

• disable storing clear text passwords in your systems (see KB2871997);
• monitor for, and prevent password reuse across user accounts;
• change account passwords often;
• Run the lsass.exe in protected mode (click here for instructions)

How we can help

Our recommendation, especially in lack of complex IDS solutions, is to monitor authorized access to data to identify suspicious patterns, that appear when attackers (using compromised accounts) are looking for valuable information:

• access outside work hours;
• access to rarely used network resources;
• increased file activity, many copy operations;

Taking such measures gives you a better chance of identifying an attacker who uses an authorized account to steal data. Also, since this scenario gives attackers a list of credentials, it is very likely that these are verified so that their value can be assessed. The fastest way to do that is impersonating these credentials from a single compromised account. Therefore, watching for impersonated access to files is also important, particularly if there is a significant number of such operations, with the same original security context, but with various other impersonated user accounts.

TEMASOFT FileMonitor, our file monitoring software, can help you monitor impersonated and authorized access to files in ways that permit identification of suspicious activity, allowing alerting, reactions and further investigation in such situations.

TEMASOFT offers this application for FREE for up to two workstation PCs, for personal use.

Liked this article? Follow us on LinkedIn for more, or subscribe to our newsletter.

References:

www.privacyrights.org

https://support.microsoft.com/en-us/kb/2871997

https://www.sans.org/reading-room/whitepapers/detection/mimikatz-overview-defenses-detection-36780