Illusive Blog December 7, 2022

The Danger of Cached Credentials

By Tim Nursall
Account Takeover, ITDR

How often have you logged onto your computer, entered a website and been taken straight to the home page as opposed to the login page? When you open your work laptop on a Monday morning do your emails come flooding in without you needing to sign back into Outlook? How often have you thought about what this may mean? In most cases, the average person won’t have thought twice about this.

In today’s world, we have an incessant need for things to move quickly – particularly when it comes to our work and applications. People want to be able to work faster, and even the 10 seconds it may take to enter a password are too long.

What this means, however, is that your login information has been stored as cached credentials, which are a big security risk, both in terms of business and personal life.

Cached credentials are a big part of digital life, as computers can automatically store them for later use, but unfortunately, that means that if the system is breached these credentials can be stolen by a threat actor.

Why are Cached Credentials so Risky?

Enterprise Strategy Group (ESG) found malware that steals cached credentials is one of the top attack vectors in business. In fact, the Lapsus$ ransomware gang took this approach when they exploited cached credentials in a widely publicized breach. Additionally, when Conti leaks were published earlier this year, the gang admitted to targeting credentials to gain initial access. These are just a few examples of recent attacks that understood the value of identities in launching a successful cyber-attack.

Increasingly, ransomware gangs are exploiting vulnerable identities in order to achieve their goals. Cached credentials are a large part of this, as many individuals don’t understand the risk they pose to them, let alone their organization. Despite not being stored in a file or any particular place on a computer, these credentials can be riskier than stored ones, as users tend to follow the mindset that “if it is not stored, it can’t be stolen.”

On the contrary, this makes it a more appealing target for cybercriminals. If stolen, stored credentials would still need to be entered, which would prompt for multi-factor authentication. With cached credentials on a legitimate user’s system, the user is validated by default. Therefore, even if something is protected by zero-trust, threat actors can use these cached credentials to their benefit, as the computer is programmed to remember these details for when the user needs them, meaning cyber criminals could bypass zero-trust frameworks.

Exploiting Cached Credentials

To make matters worse, there are widely available free tools that allow threat actors to exploit cached credentials easily and efficiently, without triggering any alarms. Mimikatz is a prominent example of one of these, which the Lapsus$ gang used in their attack. These types of tools are readily available to download from sites such as GitHub and make it easy for practically anyone to perform an attack.

Had it not been for their searches for ‘privilege escalation tools’ online, the Lapsus$ attack may have gone undetected, highlighting the effectiveness of exploiting cached credentials and the need for continuous detection and removal of privileged identities in the network. It also demonstrates the risk exploitable identities pose for businesses. If a user is logged in automatically to their personal accounts, it is plausible – if not highly likely – this is the case for their business accounts as well with technologies such as browsers and operating systems repeatedly requesting to store users’ passwords.

Even though identities are the number one factor used by threat actors, many organizations still have not started assessing and tackling their identity risk. Following a survey, Illusive and ESG found that only 41 percent of access is re-evaluated on a timely basis and even when they are, admins aren’t always comfortable revoking privileges without understanding why they pose a security concern. This is exacerbated by the fact that only 20 percent of organizations monitor their endpoints for cached credentials, even though they are present on 1-in-6 endpoints. Clearly, this is a huge security risk, particularly as most privileged access management tools lack sophisticated discovery capabilities.

Cached identities: How are These Linked?

The prevalence and risk from cached credentials is already enormous. This gets even more dangerous with cached identities. Cached identities are the result when you log onto your computer and applications such as Teams and Slack need no action to log in after launching. This opens the door for threat actors to bypass multi-factor authentication.

Multi-factor authentication and zero-trust offer approaches to curb bad password practices, stop password exploitation and better secure user accounts. Once a computer stores identities for potential later use, this gives cybercriminals the perfect opportunity to take session data from a browser or application and use this elsewhere on the machine. In this way they are able to gain access to most accounts as they have already been through MFA, and the user has been validated. The Lapsus$ attack is a prime example, as the threat actors used cached credentials to move laterally, using the already validated identities to access other accounts and applications.

How can Illusive Help?

You can’t protect what you don’t know exists. Unfortunately, most traditional IAM and PAM solutions don’t monitor for cached credentials, shadow admins, legacy applications, etc. Illusive understands the danger that cached credentials pose for organizations and has developed two solutions: Illusive Spotlight, which can illuminate identity risk, prioritize identity vulnerabilities and remediate findings, including removing cached credentials from business endpoints supported by Illusive Shadow, adding identity threat detection and response capabilities, leaving deceptive credentials on endpoints and servers to stop threat actors in their tracks with best in class technology.

Identity vulnerabilities, including cached credentials, in an environment are constantly changing with users logging in and concluding daily administrative tasks meaning that the solution needs to work in the same way. Even with great technologies implemented such as PAM, SSO and MFA with zero-trust policies, it is crucial to continuously and in an automated way, identify and eliminate Identity vulnerabilities in order to avoid such an attack and adequately secure employee accounts and applications.

If you’re still not sure about the risk cached credentials pose to your enterprise, contact Illusve today for a free risk assessment or request a demo of our identity threat detection and response (ITDR) solution.

See Illusive's Identity Threat Detection & Response In Action

Learn how Illusive's ITDR solutions can help your security team protect against the #1 attack vector—identity.