Aktuelles
Criminals using browser credential dumping in 21% of credential-access techniques - new report from ReliaQuest
February 2024 by ReliaQuest
ReliaQuest is observing threat actors relying less and less on rudimentary tactics, such as brute-force attacks, to acquire account credentials. To gain credentials that will allow them to target additional systems and applications, they’re opting for more sophisticated methods. One method is browser credential dumping, which accounted for 21% of the credential-access techniques we observed across our customer base in 2023, in elevated incidents.
Browser credential dumping is a malicious act in which a hacker attempts to gain access to personal information, such as usernames and passwords, or steal a web browser’s cookies. This technique is typically observed after a threat actor/group has obtained initial access through phishing or drive-by download, or by exploiting a vulnerability that provides remote code execution (RCE) capabilities on the target machine.
This method targets the convenient, user-friendly feature that allows web browsers[4] to save credentials locally on a machine’s file system so they don’t need to be entered manually every time. Threat actors are accessing the storage locations and exfiltrating or decrypting the contents. This attack method can be used against any sector or location; all entities should consider themselves at risk. Security researchers have noted varied use of the technique, such as:
“Lapsus$ Group” has used “RedLine” to obtain passwords and session tokens.
The “QakBot” (aka QBot) banking trojan can dump credentials from browser data and cookies.
“APT31” (aka Zirconium) has been known to use a Python-compiled binary with capabilities for browser credential dumping.
• Threat actors are using browser credential dumping, and other sophisticated methods, to acquire access to valid accounts without brute-forcing. Browser credential dumping represented 21% of ReliaQuest customers’ incidents involving credential access in 2023.
• Browser credential dumping can affect entities in any sector or location, whether at the enterprise level or specific to personal users.
• With adequate detection methods and preventive/mitigative controls, organizations can significantly decrease the impact of browser credential dumping and reduce the risk of this attack method being used against them.
