Credential dumping is a cyber attack where a threat actor hacks into devices and steals their owners’ credentials from the random access memory (RAM). Also known as “password dumping,” the attacker steals and copies the data to a predetermined storage (typically a server). Once that’s done, the credentials are said to have been “dumped.”

You should know that each time someone logs in to an account on your device, his/her username-password combination gets stored in its RAM. An attacker can read that information since it is saved in plaintext. 

Credential dumping is a crucial step in phishing and other cyber attacks.

Read More about Credential Dumping

You’re probably wondering what threat actors use the data they steal via credential dumping for.

What Do Cyber Attackers Do with the Information They Steal via Credential Dumping?

Threat actors can use data stolen through credential dumping attacks to:

  • Access confidential information and critical assets
  • Move laterally in a target network to access other systems
  • Create new accounts, perform actions, and remove accounts to clear their tracks
  • Analyze password patterns and policies to reveal other network users’ credentials

How Does Credential Dumping Work?

Credential dumping attacks typically follow three steps.

  1. A threat actor finds a way into the target device. One way could be through an exploitable vulnerability.
  2. Once inside, the attacker searches the device for stored credentials. They typically deploy malware to harvest username-password combinations.
  3. The stolen credentials are then saved onto predetermined storage for later use.
how credential dumping works

What Malware or Threat Groups Have Been Known to Employ Credential Dumping?

Over time, we’ve seen many malware use credential dumping as part of a bigger attack chain. These include:

  • Mimikatz: A tool that dumps passwords, hashes, and personal identification numbers (PINs) from a system’s memory. While not initially intended for use in cyber attacks, it was a critical player in the 2017 National Security Agency attack. Both penetration testers and malware creators currently use it.
  • NotPetya: A ransomware that wreaked havoc worldwide in 2017 came with Mimikatz’s ability to search for clear-text passwords.
  • Axiom: Believed to be a Chinese cyber espionage group targeting the aerospace, defense, government, manufacturing, and media industries since at least 2008. They have been known to dump credentials as part of their tactics.
  • Carbanak: A full-featured, remote backdoor intended for espionage, data exfiltration, and providing remote access to infected machines.
  • Poseidon: A Portuguese-speaking threat group active since at least 2005 with a history of using information exfiltrated from victims to blackmail their companies into contracting them as a security firm.

How Can Users Defend against Credential Dumping?

Organizations can protect employees and other stakeholders from credential dumping attacks by:

  • Ask developers to write software code, so the data stored in memory is encrypted and sensitive information is automatically cleared from the main memory.
  • Limit the number of accounts with administrative rights since the fewer administrator accounts there are, the harder it will be to pull off credential dumping attacks.
  • Use a security information and event management (SIEM) system to monitor authorization and access logs and detect unusual patterns or activities that may indicate account compromise.
  • Force employees to use multifactor authentication (MFA) so that even if hackers get their hands on login credentials, they still won’t be able to log in since they don’t have the one-time password (OTP) typically sent to a mobile phone.
  • Implement CAPTCHAs for logins to slow credential dumpers down, at least.
  • Use an intrusion detection system (IDS) that detects suspicious behaviors.

Users, meanwhile, can steer clear of the dangers credential dumping attacks pose by:

  • Always log out and reboot your computer when you’re done using it. That clears your system’s memory and the credentials or hashes stored in it.
  • Use strong and complex passwords. The more complex your passwords are, the harder they are to crack.
  • Never reuse the same password for multiple accounts. If one account gets hacked, all the others will, too.
  • Set up two-factor authentication (2FA) on all accounts that support it.
  • Use a password manager so you can create and remember complex passwords.
  • Don’t open email attachments unless you know who the sender is and confirm they actually sent you the message.
  • Don’t click email links unless you confirm who sent them and where they lead.
  • Use a firewall.
  • Use an antimalware program.
  • Keep your operating system (OS) updated.
  • Never click pop-ups.
  • Pay attention to browser warnings.

Credential dumping is a critical part of many, if not all, cyber attacks. It is, however, avoidable if you follow cybersecurity best practices.

Key Takeaways

  • Credential dumping is a cyber attack where a threat actor hacks into devices and steals their owners’ credentials from the RAM.
  • Threat actors can use data stolen through credential dumping attacks to access confidential information and critical assets; move laterally in a target network to access other systems; create new accounts, perform actions, and remove accounts to clear their tracks; and analyze password patterns and policies to reveal other network users’ credentials.
  • Mimikatz and NotPetya are two examples of malware that employ credential dumping.