Thought Leadership
The Sophos X-Ops team has disclosed a new attack variant of the Qilin ransomware group. As part of a recent investigation into a Qilin ransomware attack, the Sophos X-Ops team discovered that the attackers stole credentials stored in Google Chrome browsers on certain network endpoints.
The Qilin group, which has been active for over two years, gained access via compromised credentials and manipulated group policies to run a PowerShell script to collect Chrome credentials. These scripts were activated when users logged in to collect the data.
The cybercriminals used the PowerShell script to collect credentials from networked endpoints and were able to take advantage of the lack of multi-factor authentication. The stolen credentials, which could also include numerous logins from third-party websites, were then exfiltrated and used to further escalate the ransomware attack.
Qilin attacks often involve a double extortion method – that is, the group steals data, encrypts systems and, on top of that, threatens to publish or sell the stolen data if the victim does not pay for the decryption key.
Christopher Budd, Director Threat Reserach at Sophos X-Ops, said: “Credential theft is a highly effective way for attackers to penetrate target systems. In fact, according to our Active Adversary Report, it was the leading cause of attacks in the first half of 2024 and played a role in many of the high-profile cyberattacks we’ve seen this year. In this case, Qilin has taken credential theft to another level – by collecting data from Google Chrome browsers. Browsers are a popular place to store passwords for all kinds of accounts, making this type of data particularly valuable to cybercriminals. However, a strong password management system and MFA can significantly reduce the risk for organizations.”
In the case described, the attackers gained initial access to the environment via compromised credentials. The Sophos team’s investigation also revealed that the attacked VPN portal was not protected by multi-factor authentication (MFA). The dwell time of the attacker between the first access to the network and further movements in the network was eighteen days.
In June 2024, the Qilin ransomware group was in the news for an attack on Synnovis, a government service provider for UK healthcare providers and hospitals. The Sophos IR team observed the activity described in the current post in July 2024. This activity was detected on a single domain controller in the target’s Active Directory domain. Other domain controllers in this AD domain were infected but not affected by Qilin.
“If Qilin or other ransomware groups decide to increase their exploitation of credentials stored on endpoints in future attacks, this could be a new chapter in the history of cybercrime,” said Budd. “Personal data contains a wealth of information about high-value targets that can be exploited by other means after the actual ransomware attack.”
(lb/sophos)
