T\u00e9cnica que refiere a cualquier medio de extracci\u00f3n o ‘volcado’ de credenciales de autenticaci\u00f3n de usuario de una computadora v\u00edctima.<\/p>\n
DESPITE ALL THE\u00a0<\/span>cybersecurity industry\u2019s talk of preventing \u201cbreaches,\u201d a computer network in some ways is less like a fortress and more like a human body. And skillful hackers are like germs: They tend to get in via some orifice or another. Once inside, it\u2019s whether they can thrive and multiply their infections\u2014and what vital organs they can reach\u2014that determines whether the outcome is a sneeze or a full-on catastrophic takeover.<\/p>\n In many modern hacking operations, the difference comes down to a technique known as \u201ccredential dumping.\u201d The term refers to any means of extracting, or \u201cdumping,\u201d user authentication credentials like usernames and\u00a0passwordsfrom a victim computer, so that they can be used to reenter that computer at will and reach other computers on the network. Often credential dumping pulls multiple passwords from a single machine, each of which can offer the hacker access to other computers on the network, which in turn contain their own passwords ready to be extracted, turning a single foothold into a branching series of connected intrusions. And that\u2019s made the technique at least as crucial to hackers\u2019 work\u2014and as dangerous for sensitive networks\u2014as whatever\u00a0phishing\u00a0email or infected attachment let hackers find entry into the network in the first place.<\/p>\n Credential dumping is largely possible because operating systems have long tried to spare users the inconvenience of repeatedly entering their password. Instead, after a user is prompted to enter it once, their password is stored in memory, where it can be called up by the operating system to seamlessly prove the user\u2019s identity to other services on the network.<\/p>\n But the result is that once a hacker has gained the ability to run code on a victim machine, he or she can often dig up the user\u2019s password from the computer\u2019s memory, along with any other users’ passwords that might linger there. In other cases, the hacker can steal a file from the computer’s disk called the Security Account Manager, or SAM, which contains a list of the network’s\u00a0hashed passwords. If the passwords are\u00a0too simple\u00a0or if the hashing is weak, they can then often be cracked one by one.<\/p>\n Amit Serper, a researcher for security firm Cybereason and a former Israeli intelligence hacker, compares credential dumping to a thief who sneaks through an open window, but once inside finds a spare key to the victim\u2019s house he or she can copy\u2014along with keys to the victim\u2019s car and office. \u201cYou got in that one time, but if you want to come back you have to have keys to the house,\u201d Serper says. “Once you have those keys, you can do whatever you want.\u201d<\/p>\n In some cases, Serper says, he’s seen hackers mess with settings on a computer to frustrate the user until he or she calls tech support, which results in an administrator logging into their machine. The hacker can then steal that administrator’s much more valuable credentials from memory and use them to wreak havoc elsewhere on the network.<\/p>\n Credential dumping is so crucial to modern hacking operations, Serper says, that he finds in analyses of victim networks that it often precedes even the other basic moves hackers make after gaining access to a single computer, such as installing persistent malware that will survive if the user reboots the machine. \u201cIn every large breach you look at today, credentials are being dumped,\u201d Serper says. \u201cIt\u2019s the first thing that happens. They just get in, then they dump the passwords.\u201d<\/p>\n By far the most common tool for credential dumping was created in 2012 by a French security researcher named Benjamin Delpy and is known as\u00a0Mimikatz. Delpy, who worked for a French government agency, wrote it to improve his C++ coding skills and also as a demonstration of what he saw as a security oversight in Windows that he wanted to prove to Microsoft.<\/p>\n Since then, Mimikatz has become the go-to credential dumping tool for any hacker who hopes to expand access across a network. Dmitri Alperovitch, the chief technology officer of security firm Crowdstrike, calls it the \u201cAK-47 of cybersecurity.” Some sophisticated hackers also build their own credential dumping tools. More often they modify or customize Mimikatz, which is what happened with\u00a0the likely Chinese hackers\u00a0revealed last month to have targeted at least 10 global phone carriers in an espionage campaign.<\/p>\n Aside from that sort of espionage, credential dumping has become a key tool for hackers who seek to spread their infection to an entire network with the aim of destroying or holding ransom as many computers as possible. Mimikatz, for instance, served as an ingredient in a range of paralyzing incidents, from the\u00a0LockerGoga ransomware attack on aluminum firm Norsk Hydro\u00a0to the NotPetya worm, a piece of destructive malware released by Russian state hackers that became the\u00a0most costly cyberattack in history. “Any time we hear in the news that ransomware has taken out an entire organization, this is what happened,” says Rob Graham, the founder of Errata Security. “This is how it spread through the entire domain: It gets credentials and uses this mechanism to spread from one computer to the next.”<\/p>\n The danger of credential dumping, Graham warns, is that it can turn even one forgotten computer with unpatched vulnerabilities into that sort of network-wide disaster. “It\u2019s not the systems that everyone knows about that you need to worry about, those are patched. It’s the systems you don’t know about,” he says. “A foothold on these unimportant systems can spread to the rest of your network.”<\/p>\n While keeping hackers from ever gaining that foothold is an impossible task, Graham says that system administrators should carefully limit the number of users with administrative privileges to prevent powerful credentials from being accessed by hackers. Administrators should be wary of logging into computers that they suspect might be compromised by hackers. And Cybereason’s Amit Serper points out that\u00a0two-factor authentication\u00a0can help, limiting the use of stolen passwords since anyone trying to use them would need a second authentication factor, too, like a one-time code or a Yubikey.<\/p>\n “Having that second factor is the best way to battle credential dumping,” Serper says. “How else can you protect yourself if someone has the master key to your house?”<\/p>\n