In a recent investigation of a Qilin ransomware breach, the Sophos X-Ops team uncovered a concerning tactic employed by the attackers. They found that the attackers were stealing credentials stored in Google Chrome browsers on a subset of the network’s endpoints, a method that could have far-reaching implications beyond just the initial victim’s organization.
The Qilin ransomware group, which has been operating for over two years, gained notoriety in June 2024 for their attack on Synnovis, a governmental service provider to UK healthcare providers. Typically, Qilin attacks involve “double extortion,” where they steal data, encrypt systems, and threaten to reveal or sell the stolen data unless a ransom is paid.
The activity observed by the Sophos IR team in July 2024 occurred on a single domain controller within the target’s Active Directory domain. The attackers gained initial access to the environment through compromised credentials, highlighting the importance of implementing multifactor authentication (MFA) on VPN portals.
After an eighteen-day dwell time, the attackers escalated their activity by moving laterally to a domain controller and introducing a logon-based Group Policy Object (GPO) containing scripts to harvest credentials stored in Chrome browsers on connected machines. This tactic was deployed through a logon GPO, ensuring that the credential-harvesting script ran each time a user logged in.
The harvested credentials were stored in files on the domain’s SYSVOL share, with the attackers deleting the evidence and encrypting files on the affected machines. The attackers left behind ransom notes and used GPO to create a scheduled task to download and execute the ransomware.
The impact of this attack is significant, as Chrome browsers are widely used, making them a target-rich environment for password harvesting. Defenders must not only change Active Directory passwords but also consider the implications for users who may have saved numerous passwords in their browsers.
The attackers’ decision to target credentials stored on endpoints represents a dangerous shift in tactics that could have far-reaching consequences. Organizations and individuals are urged to use password managers that employ industry best practices, implement MFA, and regularly test their security measures to mitigate such threats.
The Sophos team’s response and remediation recommendations emphasize the importance of proactive security measures, such as MFA adoption and the use of secure password managers. They also provide tools like their Powershell.01 query to help identify suspicious activities and offer guidance on detecting and combating Qilin ransomware.
Overall, the Qilin ransomware breach underscores the evolving nature of cyber threats and the need for robust security practices to protect against malicious actors. By staying vigilant and implementing best practices, organizations can safeguard their data and networks from such attacks in the future.