HQ/EMEAFind out how we can help your business
The notorious Qilin ransomware operation has employed a novel technique that can deploy an information stealer to nab account credentials stored in Chrome.
According to reports, the new operation can start once the ransomware operators acquire network access using hacked credentials for a VPN gateway that lacks MFA. Next, the operation will remain dormant for 18 days, implying that the attackers have purchased their access to the network through an initial access broker.
However, this dormancy could indicate that Qilin used the time to map the infected network, identify assets, and run reconnaissance operations.
After the first 18 days, the attackers moved to a domain controller and changed Group Policy Objects to execute a PowerShell script on all PCs linked to the domain network. The script, run via a batch script included in the GPO, was intended to harvest credentials stored in Google Chrome.
In addition, the batch script was set to run every time a user logged into their workstation while the operation exfiltrated and saved the stolen credentials to the SYSVOL share as ‘LD’ or ‘temp.log.’
The attack process then deleted the local copies of the files and related event logs once they were sent to Qilin’s C2 server to disguise the malicious activities. Eventually, the attackers install the ransomware payload and encrypt the data on the affected PCs.
The Qilin ransomware group’s new tactic is a significant threat to credentials saved on browsers.
Researchers explained that the Qilin ransomware gang’s method of targeting Chrome credentials sets a new strategy that may challenge the conventional protection mechanics against ransomware attacks.
Since the GPO is applied to all devices in the domain, the credential harvesting procedure affected every device a user logged into. This detail means that the script could steal credentials from any workstation in a company as long as it was linked to the domain and had users logged in during the script’s active period.
Such massive credential theft campaigns could also facilitate follow-up attacks, resulting in widespread breaches across various platforms and services. They would also make response operations significantly more complex and pose a long-term threat.
However, organisations can mitigate the effects of this danger by implementing solid policies that prohibit the storage of confidential details on web browsers. Lastly, users and organisations should employ multi-factor authentication to prevent account hijacking.
