Updated 08/27 with additional ransomware threat information from Sophos X-Ops
Qilin, the Russia-linked cybercrime group thought to be behind the June attacks that caused chaos at a number of U.K. hospitals in June, has now been caught stealing credentials stored within Google Chrome browsers in a surprise new twist to the ransomware attack threat.
Although ransomware is not only a long-established but also increasingly costly threat to organizations, Qilin is a relatively new player in the nasty cybercrime game. Running a Ransomware-as-a-Service criminal operation, Qilin is known to date back only as far as October 2022. Researchers from the Sophos X-Ops team have now analyzed a recent attack by the Qilin operators and discovered a new and unusual tactic which they describe as providing “a bonus multiplier for the chaos already inherent in ransomware situations.” That tactic being the simultaneous theft of credentials from Google Chrome browsers found on a subset of the victim network’s endpoints, extending the potential reach of the attack beyond the original target.
The Sophos X-Ops Team Qilin Attack Analysis
The attack that the Sophos researchers analyzed took place in July 2024, after the London hospitals incident, but the victim has not been named. What we do know is that Qilin used compromised credentials to access a VPN portal that was not protected by the use of multi-factor authentication. It is highly likely that these credentials were obtained by way of an initial access broker, a threat actor who seeks such methods of access to ransomware groups through dark marketplaces. There was a period of no activity following the initial access of 18 days, which strengthens the initial access broker supply theory.
“Although Qilin’s attack might be new, the initial access vector is not,” Paul Bischoff, consumer privacy advocate at Comparitech, said, “You don’t need a new sophisticated way to prevent the attack; just secure your VPN using two-factor authentication.”
After the extended dwell period, however, the attackers were seen to mover laterally in order to compromise a domain controller and edit the domain policy to include a script that would attempt to harvest credentials stored within a Chrome browser, alongside another that contained the commands to execute it. “This combination resulted in harvesting of credentials saved in Chrome browsers on machines connected to the network,” the researchers said, and the nature of the scripts in the group policy meant “they would execute on each client machine as it logged in.”
Targeting Chrome Credentials Is A Dark New Chapter In The Ransomware Story
It’s not that surprising that Qilin has targeted Chrome browser credentials, given that Chrome accounts for a 65% slice of the browser market and Sophos researchers suggest that an average of 87 work-related passwords and twice that for personal ones are stored per machine. No, what’s surprising is that ransomware groups are only now apparently looking to leverage this treasure trove of credentials in such a way.
“The attackers clearly understood the value of the credentials being stored in Chrome and took sophisticated steps to deploy malware across the organisation,” Glenn Chisholm, chief product officer at Obsidian Security, said. “Beyond the ransomware tactics, this would give the attackers broad access to any application where credentials have been stored.”
If Qilin, or any other ransomware groups for that matter, opt to mine for endpoint-stored credentials in future attacks, this could “provide a foot in the door at a subsequent target, or troves of information about high-value targets to be exploited by other means,” the Sophos researchers said, and mean “a dark new chapter may have opened in the ongoing story of cybercrime.”
A Novel Initial Access Ransomware Threat You Should Also Be Aware Of
A separate Sophos X-Ops incident response investigation has revealed a different ransomware group, Mad Liberator, also using a novel threat tactic. The X-Ops threat researchers discovered that the cybercriminal outfit, which first appeared in July, has been using an initial access tactic for victim environment penetration that’s far from the norm. At first glance, you’d be forgiven for thinking there’s nothing unusual about a ransomware group, or any malicious actor for that matter, using a combination of social engineering and remote access tools as part of attack methodology. The devil, however, is in the detail.
While the ransomware group followed something of an attack playbook by targeting victims with remote tools such as Anydesk, for example, to gain access to a device from where control can be leveraged, it didn’t follow the usual phishing or social engineering approach for getting them to install it in the first place. Indeed, Sophos X-Ops said that researchers were unable to find any indication there had been contact between the attacker and the victim before the unsolicited remote tool, in this case the aforementioned Anydesk, access request was sent.
The initial access methodology followed this four-step process:
- A connection request was sent and the victim sees a pop-up asking them to authorise the connection. Nothing too suspicious if the organization uses the remote tool as part of their technical support flow.
- Once the connection has been established, the attacker sends a file in the guise of a Windows Update to the device while simultaneously disabling keyboard and mouse input to prevent interference with the background binary upload.
- The victim’s OneDrive account is then accessed and company files exfiltrated.
- A ransom note is distributed across the network disclosing the theft and required steps to prevent deletion and distribution of the stolen data.