The Qilin ransomware variant has been discovered to have successfully exfiltrated sensitive data stored in the Google Chrome browser.
In his writingResearchers from Sophos revealed how a criminal group used previously compromised credentials to breach the IT infrastructure of an unnamed organization. The credentials were for a Virtual Private Network (VPN) portal, which lacked multi-factor authentication (MFA) and as such was relatively easy to access.
It is unknown whether the initial breach was committed by an Initial Access Broker (IAB) and then handed over to the ransomware operators, or if it was all done by one organization.
Mass theft of login credentials
In any case, the group lingered for more than two weeks (18 days) before moving laterally to a domain controller with the compromised credentials. Although the bad guys were spotted on a single domain controller within their target’s Active Directory domain, other domain controllers in that AD domain were infected, the researchers concluded. However, they were affected in a different way.
Qilin is a classic ransomware operation that performs the usual double extortion attack: first stealing as much information as possible, before encrypting the compromised device and demanding payment in exchange for the decryption key. What makes this operation relatively unique, however, the researchers claim, is the way it attacks Google Chrome.
“During a recent investigation into a Qilin ransomware breach, the Sophos X-Ops team identified attacker activity leading to the mass theft of credentials stored in Google Chrome browsers on a subset of the network’s endpoints – a credential harvesting technique with potential implications far beyond the original victim’s organization,” the researchers explained. “This is an unusual tactic, and one that could provide a bonus multiplier to the chaos already inherent in ransomware situations.”
In other words, Qilin collects the credentials stored in Chrome browsers on machines connected to the same network as the originally hacked network.
Cybercriminals continue to evolve their tactics, Sophos concluded, stressing that organizations should rely more on password managers and ensure they enable MFA where possible to minimize the chance of becoming a victim.