The Qilin ransomware group, already infamous for its devastating attacks, has now been caught stealing credentials stored in Google Chrome browsers. This new tactic could amplify the chaos typically associated with ransomware breaches, spreading the impact far beyond the initial victim.
This was uncovered in a recent investigation by the Sophos X-Ops team, who called it “a concerning development in the cybercrime landscape.”
A New Dimension to Ransomware Attacks
The Qilin ransomware group has been active for over two years, gaining notoriety for its double-extortion tactics, which involve stealing data, encrypting systems, and threatening to release or sell the stolen information if the ransom isn’t paid. However, this latest breach, seen in July 2024, marks a departure from their usual methods.
During the breach, the ransomware gang accessed a domain controller within the target’s Active Directory (AD) domain and implemented a novel credential-harvesting technique. By modifying the default domain policy, they introduced a logon-based Group Policy Object (GPO) containing a PowerShell script designed to steal credentials saved in Chrome browsers. The GPO executed on every machine connected to the network, triggering the credential-harvesting script each time a user logged in.
An 18-Day Dwell Time
The attack began with compromised credentials, a common entry point for ransomware gangs. The initial breach occurred through a VPN portal lacking multifactor authentication (MFA), allowing attackers to move laterally within the network over an 18-day period. Eventually, they reached a domain controller, where they deployed the credential-stealing scripts.
The PowerShell script, named IPScanner.ps1, harvested Chrome-stored credentials and saved them in an SQLite database file. The attackers then exfiltrated these credentials, subsequently deleting the evidence and clearing event logs. Finally, the attackers deployed the ransomware, encrypting files across the network and leaving ransom notes in every affected directory.
Widespread Impact
The decision to target Chrome-stored credentials is significant, given Chrome’s dominance in the browser market, with over 65% market share. The malefactors likely aimed to maximize the number of credentials they could steal, as the average user reportedly has 87 work-related passwords and twice as many personal ones.
The consequences of this attack extend beyond the immediate victim. Defenders not only need to reset all Active Directory passwords but also face the onerous task of making sure all users change their credentials for countless third-party sites stored in Chrome.
The scale of this breach fuels a situation where a single compromised user could lead to dozens or even hundreds of separate data breaches.
A Dark New Chapter in Cybercrime
This attack underscores the evolving nature of ransomware tactics. By targeting endpoint-stored credentials, the Qilin group may have opened a new avenue for bad actors to exploit. The potential for attackers to gain access to subsequent targets or valuable information about high-value individuals is a concerning development.
As ransomware groups continue to hone and expand their methods, security practitioners must remain vigilant and adapt to emerging threats.
The opinions expressed in this post belong to the individual contributors and do not necessarily reflect the views of Information Security Buzz.