In a recent discovery by cybersecurity researchers at Sophos, the Qilin ransomware gang has evolved its tactics to target Google Chrome credentials, marking a significant shift in their attack arsenal. This new development raises concerns about the potential consequences for organizations and emphasizes the importance of robust security measures to protect against such threats.
The Sophos X-Ops team uncovered this concerning development while investigating the Synovis breach, where the attackers were found to have stolen credentials stored in Google Chrome browsers on a subset of the network’s endpoints. This discovery comes on the heels of a ransomware attack on Synnovis, an outsourced lab service provider for NHS hospitals in South-East London, on June 3, 2024. The Qilin gang targeted the organization, claiming to have stolen hospital and patient data and demanding a hefty ransom. After failed negotiations, the gang publicly leaked the exfiltrated data, a tactic known as “double extortion” as part of their Turning the Screws technique.
The targeting of Google Chrome credentials by the Qilin ransomware gang poses a significant threat due to the browser’s widespread use, occupying around 65% of the market share. With compromised credentials, attackers can potentially access sensitive information such as financial accounts, emails, cloud storage, or business applications, posing a serious risk to organizations.
The Sophos IR team observed this activity in July 2024 on a single domain controller within the target’s Active Directory domain, indicating the potential for similar attacks on other domain controllers in the future. Analysis of a Qilin attack revealed a calculated approach, starting with compromised VPN credentials that may have been obtained from an Initial Access Broker (IAB). This 18-day dormancy period allowed the attackers to map the network, identify critical assets, and plan their next move.
The use of a custom stealer designed to target Google Chrome for credential theft showcases the sophistication of the Qilin ransomware operation. Once the ransomware gains a foothold, it deploys Group Policy Objects (GPO) to automate the credential theft process across the network, enhancing the efficiency and reach of the attack. The implications of a successful compromise are significant, requiring defenders to change all Active Directory passwords and potentially hundreds of third-party site passwords saved in Chrome by end-users.
Qilin ransomware, which first appeared in October 2022, has quickly gained notoriety for its Ransomware-as-a-Service (RaaS) model, offering its malicious tools to other cybercriminals. Believed to be linked to Russia-based threat actors, the gang has targeted various industries, including street newspapers, automotive parts giants, and Australian court services, highlighting the diverse range of targets.
The evolving tactics of Qilin ransomware underscore the importance of continuous threat monitoring and the adaptation of security strategies by organizations. Measures such as implementing multi-factor authentication (MFA) on remote access solutions, using robust endpoint security solutions, regularly backing up data, and patching all network systems are crucial to mitigating the risk of such attacks.
In conclusion, the discovery of Qilin ransomware targeting Google Chrome credentials represents a concerning development in the cyber threat landscape. Organizations must be vigilant and proactive in implementing security measures to protect against evolving ransomware tactics and safeguard their sensitive information from malicious actors.