The Qilin ransomware variant has been detected successfully exfiltrating sensitive data stored in the Google Chrome browser.
In their article, Sophos researchers revealed how a criminal group used previously compromised credentials to gain access to an unnamed organization’s IT infrastructure. The credentials were for a virtual private network (VPN) portal, which lacked multi-factor authentication (MFA) and was therefore relatively easy to access.
It is unknown whether the initial breach was carried out by an initial access agent (IAB) and then handed over to the ransomware operators, or whether it was all carried out by a single organization.
Massive theft of credentials
In any case, the group remained for more than two weeks (18 days) before moving on to a domain controller using the compromised credentials. While the criminals were detected on a single domain controller within their target’s Active Directory domain, other domain controllers in that AD domain were infected, the researchers concluded. However, they were affected differently.
Qilin is a classic ransomware operation that relies on the usual double-extortion attack: it first steals as much information as possible, then encrypts the affected device and demands payment in exchange for the decryption key. However, what makes this operation relatively unique, researchers say, is the way it targets Google Chrome.
“During a recent investigation into a Qilin ransomware breach, Sophos’ X-Ops team identified attacker activity that led to the mass theft of credentials stored in Google Chrome browsers on a subset of network endpoints – a credential harvesting technique with potential implications far beyond the original victim’s organization,” the researchers explained. “This is an unusual tactic and one that could be an additional multiplier to the chaos already inherent in ransomware situations.”
In other words, Qilin would collect credentials stored in Chrome browsers of machines connected to the same network as the one initially compromised.
Cybercriminals continue to evolve their tactics, Sophos concluded, emphasizing that organizations need to rely more on password managers and make sure to enable MFA wherever possible, to minimize the chances of falling prey.
