#3: T1555

Understanding "Credentials from Password Stores"

The MITRE ATT&CK Framework technique T1555, known as "Credentials from Password Stores," outlines methods adversaries use to extract stored credentials from various systems. These credentials may include usernames, passwords, and authentication tokens saved by users or applications for convenience. By accessing these stored credentials, attackers can impersonate legitimate users, bypass security measures, and gain unauthorized access to systems and data.

Subtechniques of T1555

1. T1555.001 – Keychain

2. T1555.002 – Security Memory

3. T1555.003 – Credentials from Web Browsers

4. T1555.004 – Windows Credential Manager

5. T1555.005 – Password Managers

6. T1555.006 – Cloud Secrets Management Stores

Adversary Techniques

One common method involves targeting web browsers that store user credentials for websites and services. Attackers may extract these credentials by accessing browser storage files and decrypting them using system APIs, such as Windows' CryptUnprotectData. This allows attackers to retrieve plaintext usernames and passwords, facilitating unauthorized access to user accounts.

Another technique focuses on password managers, which store credentials in encrypted databases. If an attacker gains access to the master password or exploits vulnerabilities to extract data from memory, they can unlock these databases and retrieve stored credentials. This can lead to widespread compromise, especially if the password manager contains credentials for multiple systems.

In the Real World

In 2024, the Cuckoo infostealer malware was reported to target macOS systems by accessing the Keychain directory. The malware utilized scripts to navigate the Keychain directory and extract stored credentials. This incident highlights how attackers can exploit built-in system tools to access sensitive information without deploying traditional malware, making detection more challenging.

Understanding Cuckoo

Cuckoo is a sophisticated malware strain discovered in April 2024, targeting macOS systems. It functions both as an infostealer and spyware, designed to extract sensitive data and monitor user activities. The malware was initially identified in a trojanized application named "DumpMedia Spotify Music Converter," distributed through websites offering unauthorized music conversion tools. Upon execution, Cuckoo employs several techniques to infiltrate and persist within the system. It masquerades as legitimate software, prompting users to bypass macOS security features like Gatekeeper. Once installed, it creates hidden directories and LaunchAgent plist files to maintain persistence .

Cuckoo's primary objective is data exfiltration. It targets the macOS Keychain to harvest stored credentials, including passwords and cryptographic keys. The malware utilizes AppleScript to display deceptive prompts, tricking users into divulging their system passwords. Additionally, it collects browser data, captures screenshots, and accesses messaging applications like Telegram and Discord. To evade detection, Cuckoo employs obfuscation techniques such as XOR encoding and runtime string decryption. It also gathers system information, including hardware details and geographic location, to tailor its operations.

The emergence of Cuckoo underscores the evolving threat landscape for macOS users. Its combination of credential theft and surveillance capabilities poses significant risks to personal and organizational security. Users are advised to exercise caution when downloading software from unverified sources and to implement robust security measures to mitigate such threats.

Mitigation Strategies

As always, best practices in regard to the general security posture, updates policies, and the like are always the best way to get a step ahead. However, if you need four golden tips for making sure your company stays on top of this technique, start here:

1. Implement strict password policies, ensuring that users create strong, unique passwords and change them regularly.

2. Limit the number of accounts and services with access to credential stores, and ensure that only necessary permissions are granted.

3. Regularly update software and systems to patch known vulnerabilities that could be exploited to access credential stores.

4. Educate users about the risks of storing credentials in browsers and encourage the use of secure password managers with multi-factor authentication.

By understanding and addressing the methods outlined in T1555, organizations can better protect against unauthorized access and credential theft.