Saving credentials is convenient both for users and attackers
Palo Alto Networks Unit 42 has written a nice overview of how various popular desktop applications store saved passwords and how easy it is for adversaries to retrieve them once they have a foothold on a particular computer.
Programs can make their users’ lives easier and save time by storing their credentials to avoid re-typing them: from WinSCP, over OpenVPN, to web browsers and Git. Saving passwords in Git clients is perhaps the most risky proposition, as a stolen credential to a code repository opens the way to destructive and far reaching software supply chain attacks.
As an example of credential gathering, take any Chromium based browser such as Google Chrome, Microsoft Edge or Opera: many people tend to save passwords while surfing the internet via those browsers.
In such cases, saved passwords are located encrypted in an SQLite database file, usually called "login data" and each user profile has its own password database - its "login data" file. The key used to encrypt the passwords is located in the parent folder, in a JSON file called "local state".
To decrypt a password that a Chromium-based browser saves, one needs to retrieve three components: the encrypted password, the encryption key (AES) and something called an initialization vector (used in AES operations).
It turns out, these steps are quite easy and well known by both threat actors and threat researchers. The steps can be scripted and automated - for ex. see a Python script here which will dump and display all your passwords saved in a browser.
The convenience of saving passwords often comes at the price of poor security, causing the risk of password theft. Credentials gathered in this manner can then be used during an actual cyberattack.
Organizations cannot expect the users to stop the practice of saving passwords - the convenience is simply too tempting. But they can aim to minimize the usage of passwords and opt for multi-factor authentication and managed identities wherever possible.
Another way to mitigate this risk is to introduce visibility into the endpoint by extending traditional anti-malware with Extended Detection and Response software (EDR or XDR, depending on vendor). EDR incorporates the threat researcher's domain knowledge about attack tactics and techniques. Credential gathering is certainly one such technique and will be detected (and possibly blocked), as illustrated below on a real life example of an attempt at credential gathering by an Emotet malware sample:
Read here how other popular applications can have their saved passwords retrieved.
