The Qilin ransomware group has been observed deploying a custom credential stealer to pilfer account credentials stored in Google Chrome browsers. This new tactic marks an alarming shift on the ransomware scene, as reported by Sophos X-Ops researchers.
The attack began with Qilin gaining access to a network using compromised VPN credentials without multi-factor authentication (MFA). Following 18 days of dormancy, which may indicate the possibility of Qilin buying initial access from an initial access broker (IAB), the attackers moved laterally to a domain controller and modified Group Policy Objects (GPOs) to execute a PowerShell script on all machines logged into the domain network.
The script, triggered by a batch file that ran every time a user logged in, collected Chrome credentials stored on devices. Stolen credentials were saved on the ‘SYSVOL’ share under names like ‘LD’ or ‘temp.log.’ After sending files to Qilin’s command and control (C2) server, local copies and related event logs were wiped clean.
Eventually, Qilin deployed their ransomware payload and encrypted data on compromised machines. The attack demonstrated a worrying precedent that could make protecting against ransomware attacks even more challenging.
Organizations can mitigate this risk by enforcing strict policies against storing secrets in web browsers and implementing multi-factor authentication to protect accounts from hijacks. Additionally, adopting the principle of least privilege and segmenting networks can significantly hinder an attacker’s ability to spread on a compromised network. Given Qilin’s unconstrained nature, any tactical change poses a significant risk to organizations.
Source: https://www.bleepingcomputer.com/news/security/qilin-ransomware-now-steals-credentials-from-chrome-browsers/