This blog post is the first in a series. To read part 2 of the series, click here.
The digital landscape is rife with new and evolving threats - and to meet this challenge, organizations must invest in proactive security measures. Threat hunting practices – which, by definition, are proactive rather than reactive - play a significant role in mitigating the risks and contributing to a resilient cybersecurity ecosystem.
As a case in point, let’s take a look at the work done by CyberProof’s threat hunting team in exposing the security challenges posed by a MITRE ATT&CK technique called “Credentials in Files.”
What is the “Credentials in Files” technique?
Storing credentials as clear text (or easily reversible formats) is a dangerous practice that puts organizations at risk, since they are susceptible to unauthorized access to sensitive systems.
At its core, the MITRE ATT&CK sub-technique Unsecured Credentials: Credentials In Files (T1552.001) allows threat actors to navigate through configuration files, log files, and other types of files that hold clear-text credentials. It revolves around the relentless quest by threat actors to find clear-text credentials within enterprise networks.
At its core, the MITRE ATT&CK sub-technique Unsecured Credentials: Credentials In Files (T1552.001) allows threat actors to navigate through configuration files, log files, and other types of files that hold clear-text credentials.
Examples of the use of “Credentials in Files”
At CyberProof, we identified several cases where our client’s user IDs and passwords were displayed as clear text.
In some cases, we observed three running communications in the environment that included these clear-text user IDs and passwords. CyberProof identified user IDs and administrator passwords that were exposed as part of a legitimate script running on a server with a Web interface.
In other cases, additional details were exposed including client location, server names, and URL for the administrator's panel on the Web interface. This information allowed attackers to infiltrate the network without leaving a trace.
Note: All names and locations have been changed to protect the client's identity.
Example 1 of an exposed password:
C:\Program Files\postgresqlDB\Server\6.2\bin\postgresqldump.exe" /host:HybridASpain-prod-3-3-1-dkriv. postgresqldb.net:3400,HybridA-Spain-prod-3-3-1- dkriv. postgresqldb.net: 3400, HybridB-Spain-prod-3-3-1- dkriv. postgresqldb.net: 3400/preferences :primary /ssl /username:adminDB/password:s4758!Goi /authentication permission:admin /out:D:\ postgresqldb \MainDBreplicaiton\2023-06-23
Example 2 of an exposed password:
c:\scripts\BackEndAutomationExecutionServices /server:http://dkdgotg. companyportal.com /userid:services1 /password:dclikro96%# /params:"\\configurationsParameters\SalaryBook v7.5.0\SalaryBook Template" /outputFiles:"\\ exeservicesapp485\services
CyberProof identified user IDs and administrator passwords that were exposed as part of a legitimate script running on a server with a Web interface.
Focusing on Secure Software Development
These scenarios highlight how internally developed applications may be built with a focus on achieving specific functionality - and may neglect to follow secure software development best practices. For example, the secure development of any internal application that requires password authentication should include the crucial step of password encryption.
Here are some steps that can be taken to ensure strong password security with encryption:
-
Use a strong encryption algorithm: When encrypting passwords, it is important to use a strong encryption algorithm that is difficult to break.
-
Salt passwords: Adding a salt to a password before encryption can make it more difficult for attackers to break the encryption. A salt is a random sequence of characters that is added to the password before it is encrypted.
-
Use HTTPS protocol when transmitting passwords over a network: This ensures that the password is not intercepted or compromised.
The secure development of any internal application that requires password authentication should include the crucial step of password encryption.
Uncovering exposed user ID and passwords
In our work to uncover exposed user ID and passwords, we follow these procedures:
-
Conduct a scan using predefined rules and keywords on the client's internal network to identify any exposed credentials or passwords.
-
Review logs and data from servers, endpoints, and other devices for evidence of unauthorized access attempts or unusual activity.
-
Use specialized tools and technologies to search for stolen credentials on the dark web and other underground marketplaces.
Avoiding exposed user IDs and passwords – CyberProof’s recommendations
To mitigate the risk of clear-text passwords:
-
Use encryption: One of the most effective ways to mitigate the security risk of clear-text passwords is to use encryption. Using technologies such as hashing or salting, passwords can be encrypted before they are stored in a database or transmitted over a network.
-
Implement multi-factor authentication (MFA): MFA requires users to provide two or more forms of identification to access a system or application. This can include a password, a biometric factor such as a fingerprint or face recognition, or a security token.
-
Limit access: An enterprise can limit who has access to sensitive systems and applications – granting access privileges only to users who need it for their work and enforce strict authentication policies for users. Whether this is an application account or a user account, limiting access may involve technologies such as role-based access control and privileged access management.
To learn more about how advanced threat hunting can help your organization mitigate the risk of cyberattack, contact us.
This blog post is the first in a series. To read part 2 of the series, click here.
