Default Accounts

Information

• Name: Default Accounts

• ID: T1078.001

• Tactics: TA0005, TA0003, TA0004, TA0001

• Technique: T1078

Introduction

The sub-technique Default Accounts (T1078.001), as categorized under the MITRE ATT&CK framework, describes adversaries leveraging built-in default accounts, credentials, or pre-configured user accounts to gain unauthorized access to systems and networks. These default accounts typically exist due to vendor configurations, installations, or initial system setups and often come with widely known or easily guessable credentials. Attackers exploit these accounts to bypass standard authentication mechanisms, enabling them to maintain persistence, escalate privileges, or move laterally within compromised environments.

Deep Dive Into Technique

Attackers exploiting default accounts typically follow a structured approach:

• Identification of Default Accounts:

  • Attackers first identify the presence of default accounts through reconnaissance or scanning techniques.

  • Common default accounts include well-known usernames/passwords such as admin/admin, root/root, guest/guest, or manufacturer-specific credentials.

  • Default accounts may be documented publicly in vendor manuals, online databases, or security advisories.

• Exploitation Methods:

  • Attackers utilize automated credential stuffing tools or scripts to systematically attempt default credentials against targeted services such as SSH, Telnet, web administration interfaces, database systems, and network devices.

  • Manual login attempts may also occur, particularly when targeting high-value assets or systems known to use vendor-specific default credentials.

• Mechanisms of Access:

  • Once authenticated, attackers gain access to administrative interfaces or system shells, enabling them to execute arbitrary commands, install malware, or modify system configurations.

  • Default accounts commonly have elevated privileges, simplifying privilege escalation and lateral movement within networks.

• Persistence and Privilege Escalation:

  • Attackers often leverage default accounts as a persistent backdoor, ensuring continuous access even if other access methods are mitigated.

  • Elevated access through default accounts facilitates privilege escalation, enabling attackers to establish additional footholds or compromise further resources.

When this Technique is Usually Used

Attackers commonly utilize default accounts across various stages and scenarios of cyberattacks, including:

• Initial Access:

  • Exploiting default credentials to gain initial footholds on publicly accessible systems or exposed administrative interfaces.

  • Targeting IoT devices, network appliances, routers, switches, and printers frequently configured with default credentials.

• Persistence:

  • Maintaining long-term unauthorized access by leveraging default accounts which may be overlooked in routine security audits or password rotation policies.

• Privilege Escalation:

  • Utilizing default accounts with administrative privileges to escalate from lower-level user access to administrative control on compromised systems.

• Lateral Movement:

  • Exploiting default credentials to move laterally across network infrastructure, gaining access to other interconnected systems or network segments.

• Reconnaissance and Credential Harvesting:

  • Leveraging default accounts to explore internal networks, identify critical assets, and harvest additional credentials or sensitive data.

How this Technique is Usually Detected

Detection of exploitation involving default accounts typically involves multiple strategies and tools:

• Monitoring Authentication Logs:

  • Analyze authentication events for successful or failed login attempts involving known default usernames (e.g., admin, root, guest, administrator).

  • Detect unusual login activity, particularly from external or unknown IP addresses.

• Behavioral Analysis and Anomaly Detection:

  • Employ SIEM solutions and user behavior analytics (UBA) to detect anomalies such as login attempts at unusual times, from unusual locations, or to rarely accessed systems.

  • Identify repeated authentication failures or credential stuffing patterns indicative of automated attacks.

• Network Intrusion Detection Systems (NIDS):

  • Deploy intrusion detection systems with rulesets specifically targeting default credential usage or brute-force login attempts.

  • Signature-based detection of known credential stuffing tools or scripts.

• Vulnerability Scanners and Configuration Audits:

  • Regularly perform vulnerability scans or configuration audits to identify systems still using default credentials.

  • Utilize automated tools (e.g., Nessus, OpenVAS) that detect default account vulnerabilities across network devices and applications.

• Indicators of Compromise (IoCs):

  • Unusual or unauthorized administrative account activity.

  • Login attempts from unexpected geographic locations or IP addresses.

  • Repeated failed login attempts followed by successful authentication.

  • Presence of unauthorized configuration changes or new user accounts created shortly after default account usage.

Why it is Important to Detect This Technique

Early detection of default account exploitation is crucial due to its significant potential impacts on systems and networks:

• Unauthorized Access and Control:

  • Attackers gaining administrative privileges through default accounts can exert full control over affected systems, leading to unauthorized data access, modification, or deletion.

• Persistence and Difficulty of Remediation:

  • Default accounts offer attackers persistent access that can be difficult to detect and remediate, especially if password rotation policies or account management practices are ineffective or neglected.

• Lateral Movement and Escalation:

  • Default accounts with elevated privileges facilitate lateral movement across network segments, enabling attackers to compromise additional systems and escalate attacks rapidly.

• Data Breaches and Information Leakage:

  • Exploitation of default accounts frequently leads to unauthorized data exfiltration, potentially resulting in sensitive information leakage, compliance violations, and reputational damage.

• Service Disruption and System Compromise:

  • Attackers may leverage default accounts to disrupt critical services, install malware, or conduct ransomware attacks, severely impacting organizational operations and continuity.

• Regulatory and Compliance Risks:

  • Failure to detect and remediate default account vulnerabilities can lead to regulatory non-compliance, resulting in financial penalties, legal consequences, and loss of customer trust.

Examples

Real-world examples illustrate the prevalence and impact of default account exploitation:

• Mirai Botnet (2016):

  • Attack Scenario:

    • Attackers utilized default usernames and passwords to compromise IoT devices such as routers, cameras, and DVRs.

    • After gaining access, devices were infected with Mirai malware, forming a massive botnet used for distributed denial-of-service (DDoS) attacks.

  • Tools Used:

    • Automated scanning scripts to identify and exploit default credentials (admin, root, 123456, password).

  • Impact:

    • Massive DDoS attacks targeting critical internet infrastructure, including DNS provider Dyn, causing widespread service outages for major websites and services.

• VPN and Network Appliance Exploitation (Pulse Secure, Fortinet, Cisco):

  • Attack Scenario:

    • Attackers targeted VPN and network appliance default credentials or known hardcoded accounts to gain unauthorized administrative access.

  • Tools Used:

    • Credential stuffing scripts, brute-force tools, and publicly available default credential lists.

  • Impact:

    • Unauthorized access to sensitive corporate networks, data breaches, and persistent attacker footholds within enterprise environments.

• Default Database Credentials (MongoDB, Elasticsearch):

  • Attack Scenario:

    • Attackers scanned the internet to identify publicly exposed databases using default credentials or no authentication.

    • After gaining access, attackers exfiltrated data or held databases for ransom.

  • Tools Used:

    • Automated scanning and exploitation tools (e.g., Shodan searches, mass-scan scripts).

  • Impact:

    • Data breaches, ransom demands, and significant financial and reputational damage to affected organizations.

• Industrial Control Systems (ICS) and SCADA Exploitation:

  • Attack Scenario:

    • Attackers exploited default credentials in ICS and SCADA systems to gain unauthorized control over critical infrastructure.

  • Tools Used:

    • Credential enumeration and brute-force utilities, ICS-specific scanning tools.

  • Impact:

    • Potential disruption of critical infrastructure operations, posing risks to public safety and national security.

These examples highlight the critical need for organizations to proactively detect, mitigate, and manage default account vulnerabilities to prevent significant security incidents and operational disruptions.