What is credential dumping?

Also called a password dump, a dump is copying raw data from one place to another. In a credential dump, the attacker hacks your device, steals your credentials from the recorded state of your device’s working memory (RAM), and uses them to either:

A) Access your device and private information whenever they like if they steal your device unlock password or administrator password.

B) Access your other accounts if they steal all of your account credentials.

C) Access and infect other devices connected to the same network in preparation for a company-wide ransomware attack, for example.

The “dumping” term comes from the attacker copying and then “dumping” the stolen credentials onto their own device. What are credentials? Credentials are usernames and passwords, or biometric elements used to log in and access online accounts.

In most large breaches, credentials are dumped. In 2021, a compilation of 8.4 billion stolen and leaked credentials – dubbed RockYou2021 – appeared on a hacker forum. The previous year, in 2020, a hacker sold 538 million Sina Weibo accounts on the dark web that included people’s real names, gender, location, and phone numbers.

If you’re wondering how much stolen data sells for, check out our dark web case study, where we cover that in-depth.

Whenever news breaks of a ransomware attack having paralyzed an entire organization, malware is often used to spread infection through the network. Credential dumping is often the first move in getting access to computers to deploy that malware from one computer to the next.

So yes, credential dumping, or credential stuffing, can affect you and your entire company network, acting as a precursor to paralyzing ransomware attacks, identity fraud, and theft.

1. The hacker finds an opportunity to run infectious code on your device to gain access. (It could be an unpatched vulnerability in your operating system, for instance. That’s why updates are so important).
2. Next, the hacker digs around in your device’s core RAM memory for usernames and passwords. They might not even have to go this deep if you’ve stored your passwords on your desktop. (It happens). The hacker could also steal a file from your computer’s disk called the security account manager, or SAM, which contains a list of hashed passwords. If the hashing is weak or your passwords are too simple, they could be cracked individually.
3. With the valuable credentials of company administrators, CEOs, and HR personnel, hackers can move across a network without much suspicion.

Another credential dumping tactic

Some hackers use you as a pawn to get “more valuable” credentials.

1. Assuming a hacker can already get into your computer, they will mess around with your computer settings until you call tech support out of frustration.
2. Once they see the administrator logging in to your computer, they can steal their credentials from the memory and use them to access any other place on the network.
3. From here, a hacker might be able to destroy an entire network by holding ransom as many connected devices as they can.

• For a window of time, all of your processes, including your usernames and passwords, are stored in the random access memory (RAM) of your device for faster operation. And they’re usually stored in plaintext (normal, readable format as opposed to encrypted code). Operating systems rarely have security layers that secure main memory at all times. And because this information is unencrypted and in plaintext, it can be read and stolen if your device is infected with malware or spyware.
• The entire contents of main memory can be dumped onto a file and saved, which is what malicious malware does to obtain private data (some malware can write itself directly onto a computer’s system memory, which stays there even after rebooting). The information can then be analyzed by another tool like mimikatz, for example.

Mimikatz is a tool that dumps passwords , as well as hashes and PINs, from memory. Used by both penetration testers and malware creators, Mimikatz was a key player in the infamous attack on the NSA in 2017.

Mimikatz was invented by a researcher to better understand Windows security. Until Windows 10, Windows by default used a feature called WDigest that loads encrypted passwords into memory, but it also loaded the secret key to decrypt them. This feature is useful for authenticating large numbers of users on a company network, for instance. But it also lets Mimikatz exploit this feature by credential dumping the memory.

Permission to access: system administrators should limit the number of users with administrative privileges to help prevent the theft of valuable credentials.

Remote admin login: administrators should never log in to a device that they suspect might be hacked or infected with malware. And organizations should never use the same admin password across an enterprise.

2FA: If your passwords have been stolen, the attacker will have a hard time using them if they have to bypass 2FA. Obviously strong passwords should be your very first line of defense.

Encrypt, encrypt, encrypt: Developers should encrypt data in memory to try and limit attacks to main memory. Developers should also clear the memory location of sensitive data to prevent attacks on system memory.

Don’t be a victim: Always scan your devices for spyware and malware. One of the ways you can expose your device to being infected with malware is by clicking on malware-riddled pop-up ads on suspicious websites.