Recently, ActZero learned that ransomware actors are harvesting credentials from browsers during their attack. In recent attack chains our threat researchers have seen that, once the attacker gains a foothold, they are using Living-off-the-Land (LoTL) attacks to harvest the cached credentials from browsers such as Chrome. In a “Living off the Land” attack, adversaries use legitimate tools to compromise secure environments undetected.
When attackers get access to browser credentials, which are synced between personal and company devices, not only do they gain access to the personal, social, banking, and little league accounts used on the home network, but they can use those credentials for additional attacks on the user’s corporate environment. This combination of stealing more credentials and gaining access to additional web services allows the attacker to unleash additional attacks beyond the victim’s organization. Ransomware actors can then apply more pressure for payment.
A sample browser credential harvesting attack used esentutl.exe to dump the encrypted password database as shown below.
cmd.exe /Q /c esentutl.exe /y "C:\Users\<username>\AppData\Local\Google\Chrome\User Data\Default\Login Data" /d "C:\Users\<username>\AppData\Local\Google\Chrome\User Data\Default\Login Data.tmp"
Note: though this attack is against Chrome, similar attacks exist against other browsers.
These password dump commands are typically run on all accessible endpoints after a domain controller is compromised. Once the credentials are dumped, they are exported to the attacker along with the encryption keys.
How to prevent these attacks
Our team provides a few recommendations to keep your business safe from these attacks.
- Ensure endpoint protection is applied to all devices.
- Test that your endpoint protection blocks all attempts to access cached passwords.
- Verify your SOC can detect access to cached passwords and that the attack could represent that a ransomware attack is underway.
- Ensure your security software is able to detect ransomware encryption and is deployed on all endpoints.
- Employ multi-factor authentication (MFA) on all accounts in use, and educate all users to look for the signs of MFA fatigue attacks.
- Use different passwords on each site, and don’t make them themed.
- Though it might meet your password complexity requirements, it does no good if your social password is socialDolph1ns! and your banking is bankDolph1ns!
Immediately Educate Users on Phishing Callback Attacks
- Remind employees these phishing callback attacks, also known as "vishing" (voice phishing) or "voice callback phishing" attacks, are a type of threat where cybercriminals call to collect login credentials, credit card numbers, or other personal information.
Reduce Attack Surface Area
- Ensure all systems are properly segregated. Systems such as DCs, ESXi, and remote access tooling are too often used by attackers to gain access.
- Patch and turn on automatic update
- Don’t forget virtual machines!
- Each VM must be treated as an endpoint, and follow the same patching, deployment of endpoint protection, and isolation as any other endpoint.
- Ensure conditional access policies are robust on all cloud deployments. Ask questions such as:
- Where do we need to grant access from?
- Is multi-factor authentication (MFA) enforced?
- Is device compliance enforced?
- Can we block legacy authentication?
- Can we block unsupported platforms?
- Can we block high-risk users and sign ins?
- Can we block service accounts from untrusted locations?
- Can we disable guest access?
- Can we block admin persistence?
How ActZero Can Help
Ransomware is an urgent security risk threatening businesses and government agencies worldwide. Aimed at small to medium-sized enterprises with IT teams with limited cybersecurity expertise, The Ransomware Task Force: Blueprint for Ransomware Defense provides a short list of recommended defensive actions that an IT leader can take to combat ransomware and other common cyber attacks.
Related: Thinking about the adversary: Offensive & Defensive Strategies & Why You Should Think Like A Hacker