Unsecured Credentials (T1552.001)
Overview
Unsecured Credentials (T1552.001) involve obtaining credentials stored insecurely on a target system. These can include usernames, passwords, API keys, cryptographic keys, and other secret tokens found in configuration files, environment variables, or databases.
Timeline of Notable Attacks
2018
Attack: Tesla AWS Hack
Details: Infiltration of Tesla's AWS environment via unsecured Kubernetes consoles, leading to cryptojacking operations through exposed AWS credentials.
Technique: Unsecured Credentials for AWS access keys.
2019
Attack: Capital One Data Breach
Details: Paige Thompson exploited a misconfigured web application firewall to access Capital One's AWS S3 buckets using unsecured credentials.
Technique: Unsecured Credentials for accessing sensitive data on AWS S3.
2020
Attack: SolarWinds Supply Chain Attack (Sunburst)
Details: APT29 compromised SolarWinds Orion software, using found unsecured credentials in configuration files to assist in lateral movement.
Technique: Unsecured Credentials within configuration files.
Notable Groups Associated with Unsecured Credentials
APT29 (Cozy Bear): Known for sophisticated espionage, including the SolarWinds attack.
Lazarus Group: North Korean group known for financial cybercrimes, utilizing unsecured credentials for lateral movement and data exfiltration.
FIN7: Targets financial institutions, often leveraging unsecured credentials found in environments.
Publicly Available Tools and Techniques
Mimikatz: Harvests credentials from memory, credential store, and configuration files.
Metasploit: Exploit framework for identifying and leveraging unsecured credentials.
CredSniper: Phishing tool that captures and tests for weakly protected credentials.
Mitigations
Credential Management: Use centralized systems like HashiCorp Vault, AWS Secrets Manager, or Azure Key Vault.
Encryption: Encrypt data at rest and in transit, including configuration files and environment variables.
Regular Audits: Periodic security audits to ensure credentials are not stored insecurely.
Strong Authentication: Implement multi-factor authentication (MFA).
Least Privilege Principle: Minimize access to sensitive credentials.
Windows Environments
Identify Unsecured Credentials:
Use tools like Mimikatz to check if credentials are in memory.
Examine configuration files and scripts for hard-coded credentials.
Review Windows Event Logs for login attempts and unusual activities.
Restrict Memory Access:
Enable Credential Guard.
Disable WDigest authentication:
reg add HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\Wdigest /v UseLogonCredential /t REG_DWORD /d 0 /f
Audit and Rotate Credentials:
Change passwords for compromised accounts.
Implement regular password rotations.
Use LAPS for managing local account passwords.
Secure Configuration Files:
Encrypt sensitive data using DPAPI or third-party tools.
Limit access to necessary users only.
Implement Multi-Factor Authentication (MFA):
Enable MFA for all user accounts.
macOS
Detection of Unsecured Credentials:
Use system logs and tools like `grep` to scan for plaintext passwords.
Check Keychain Access for irregular entries.
Secure Storage with Keychain:
Store credentials in macOS Keychain.
Update scripts to use values from Keychain.
Restrict Access:
Set proper file permissions using `chmod` and `chown`.
Audit user permissions for least privilege.
Rotate and Secure Credentials:
Regularly change passwords and audit user access.
Use encrypted password managers.
Enable FileVault:
Encrypt disk via System Preferences > Security & Privacy > FileVault.
Linux
Identify and Remove Plaintext Credentials:
Use `grep` to locate plaintext passwords in scripts:
grep -r "password" /etc/
Utilize Secure Storage Services:
Use `vault` or `gnome-keyring` for sensitive information.
File and Directory Permissions:
Set proper permissions using `chmod` and `chown`.
Regularly audit permissions to ensure least privilege.
Implement MFA:
Use MFA solutions like Google Authenticator or Duo Security.
Credential Rotation:
Enforce regular credential rotation policies.
Use `pam_cracklib` to enforce strong passwords.
Amazon AWS
Identify Hard-Coded Credentials:
Review IAM policies and CloudFormation templates for hard-coded credentials.
Use IAM Roles and Policies:
Replace hard-coded credentials with IAM roles.
Ensure applications use roles, not credentials.
Enable AWS Secrets Manager:
Store and rotate secrets using AWS Secrets Manager or Parameter Store.
Implement MFA:
Enable MFA for all IAM users.
Use IAM policies to enforce MFA.
Audit and Rotate Access Keys:
Regularly audit and rotate IAM access keys.
Remove inactive keys and enforce strong key management.
Google Cloud Platform (GCP)
Detection of Plaintext Secrets:
Scan for plaintext secrets using GCP Console or CLI.
Use IAM and Google Secret Manager:
Store credentials in Google Secret Manager.
Grant minimal required access with IAM roles and policies.
Rotate Credentials Regularly:
Automate credential rotation with scripts.
Audit and update IAM policies and service accounts regularly.
Enable Security Command Center:
Use Security Command Center for risk detection.
Activate MFA:
Enable 2-step verification for Google accounts linked to GCP.
Microsoft Azure
Identify Hard-Coded Credentials:
Use Azure Security Center to find hard-coded credentials.
Utilize Managed Identities:
Replace hard-coded credentials with managed identities.
Configure services to use Managed Service Identities (MSI).
Store Secrets in Azure Key Vault:
Store and rotate secrets in Azure Key Vault.
Manage access through Azure RBAC.
Activate MFA:
Enforce MFA for Azure users.
Use Azure AD Conditional Access policies for MFA.
Regular Audits and Rotation:
Audit Azure AD users and credentials regularly.
Change secrets and verify key access policies routinely.
