The Qilin ransomware variant has been spotted successfully exfiltrating sensitive data stored in the Google Chrome browser.
In its writeup, researchers from Sophos revealed how a criminal group used previously compromised credentials to enter the IT infrastructure of an unnamed organization. The credentials were for a Virtual Private Network (VPN) portal, which lacked multi-factor authentication (MFA), and as such was relatively easy to access.
It is unknown if the initial breach was made by an Initial Access Broker (IAB) and then handed over to the ransomware operators, or if it was all done by a single organization.
En masse credential theft
In any case, the group dwelled for more than two weeks (18 days) before moving laterally to a domain controller using the compromised credentials. While the crooks were spotted on a single domain controller within their target’s Active Directory domain, other domain controllers in that AD domain were infected, the researchers concluded. They were, however, affected differently.
Qilin is a classic ransomware operation that engages in the usual double-extortion attack – it first steals as much information as possible, before encrypting the compromised device and asking for payment in exchange for the decryption key. However, what makes this operation relatively unique, the researchers claim, is the way it targets Google Chrome.
“During a recent investigation of a Qilin ransomware breach, the Sophos X-Ops team identified attacker activity leading to en masse theft of credentials stored in Google Chrome browsers on a subset of the network’s endpoints – a credential-harvesting technique with potential implications far beyond the original victim’s organization,” the researchers explained. “This is an unusual tactic, and one that could be a bonus multiplier for the chaos already inherent in ransomware situations.”
In other words, Qilin would harvest the credentials saved in Chrome browsers on machines connected to the same network as the initially compromised one.
Cybercriminals continue to evolve their tactics, Sophos concluded, stressing that organizations need to rely on password managers more, and make sure to enable MFA wherever possible, to minimize the chances of falling prey.
