Qilin, the Russia-linked cybercrime group thought to be behind the June attacks that caused chaos at a number of U.K. hospitals in June, has now been caught stealing credentials stored within Google Chrome browsers in a surprise new twist to the ransomware attack threat.
Although ransomware is not only a long-established but also increasingly costly threat to organizations, Qilin is a relatively new player in the nasty cybercrime game. Running a Ransomware-as-a-Service criminal operation, Qilin is known to date back only as far as October 2022. Researchers from the Sophos X-Ops team have now analyzed a recent attack by the Qilin operators and discovered a new and unusual tactic which they describe as providing “a bonus multiplier for the chaos already inherent in ransomware situations.” That tactic being the simultaneous theft of credentials from Google Chrome browsers found on a subset of the victim network’s endpoints, extending the potential reach of the attack beyond the original target.
The Sophos X-Ops Team Qilin Attack Analysis
The attack that the Sophos researchers analyzed took place in July 2024, after the London hospitals incident, but the victim has not been named. What we do know is that Qilin used compromised credentials to access a VPN portal that was not protected by the use of multi-factor authentication. It is highly likely that these credentials were obtained by way of an initial access broker, a threat actor who seeks such methods of access to ransomware groups through dark marketplaces. There was a period of no activity following the initial access of 18 days, which strengthens the initial access broker supply theory.
“Although Qilin’s attack might be new, the initial access vector is not,” Paul Bischoff, consumer privacy advocate at Comparitech, said, “You don’t need a new sophisticated way to prevent the attack; just secure your VPN using two-factor authentication.”
After the extended dwell period, however, the attackers were seen to mover laterally in order to compromise a domain controller and edit the domain policy to include a script that would attempt to harvest credentials stored within a Chrome browser, alongside another that contained the commands to execute it. “This combination resulted in harvesting of credentials saved in Chrome browsers on machines connected to the network,” the researchers said, and the nature of the scripts in the group policy meant “they would execute on each client machine as it logged in.”
Targeting Chrome Credentials Is A Dark New Chapter In The Ransomware Story
It’s not that surprising that Qilin has targeted Chrome browser credentials, given that Chrome accounts for a 65% slice of the browser market and Sophos researchers suggest that an average of 87 work-related passwords and twice that for personal ones are stored per machine. No, what’s surprising is that ransomware groups are only now apparently looking to leverage this treasure trove of credentials in such a way.
“The attackers clearly understood the value of the credentials being stored in Chrome and took sophisticated steps to deploy malware across the organisation,” Glenn Chisholm, chief product officer at Obsidian Security, said. “Beyond the ransomware tactics, this would give the attackers broad access to any application where credentials have been stored.”
If Qilin, or any other ransomware groups for that matter, opt to mine for endpoint-stored credentials in future attacks, this could “provide a foot in the door at a subsequent target, or troves of information about high-value targets to be exploited by other means,” the Sophos researchers said, and mean “a dark new chapter may have opened in the ongoing story of cybercrime.”