In March 2021, Microsoft announced an active global campaign named HAFNIUM targeting Microsoft Exchange servers with a chain of four zero-day vulnerabilities. According to Microsoft, a threat group or groups was able to exploit these vulnerabilities, which allowed them to gain initial access to targeted machines and deploy web shells. Once the web shells were established, operators used credential dumping techniques to gather credentials and exfiltrate information that can be used for further privilege escalation and lateral movement within targeted organizations.
For more information about this ongoing campaign, please see our detailed analysis blog post.
Credential dumping (MITRE ATT&CK® technique: T1003.001) is a method of collecting user credentials stored in memory and is a popular technique used by many state sponsored APT and financially motivated (FIN) groups today. Once threat actors obtain these credentials, they can be used to facilitate lateral movement and privilege escalation within a compromised network.
Computers rely on credentials for many critical functions, including verifying users logging in to the device, managing password changes, and creating access tokens. On a Microsoft Windows device, Microsoft Windows Local Security Authority Subsystem Service (LSASS) is the process responsible for enforcing security policy. For LSASS to function properly, various dynamic link libraries (DLLs) are loaded in memory when the device starts, and those DLLs have access to unencrypted and plaintext passwords. Once loaded into memory, various freely available tools such as procdump and Mimikatz can be used to dump the memory or write the memory contents of LSASS to disk in an unencrypted file. The resulting file will then contain credentials that a threat actor can use to escalate privileges and/or move laterally within an organization. Figure 1 shows a successful credential dump on an endpoint using the procdump application.
Figure 1: Using Procdump to successfully dump credentials
Process Guard for FireEye Endpoint Security
Process Guard for FireEye Endpoint Security can help prevent the critical step of credential dumping and deter any forward progress operators hope to make. By preventing the dumping and exfiltration of credentials, even unpatched and compromised organizations would have a level of protection against this type of attack. The following video shows Process Guard in action.