The cyber criminal Qilin ransomware gang seems to be upping the stakes in its ransomware attacks, stealing not just their victims’ data, but harvesting credentials stored within. Google Chrome browsers on their endpoints, something that has never been observed before.
Described as a “bonus multiplier for the chaos already inherent in ransomware situations” by the Sophos X-Ops research team that first uncovered the novel technique, the wholesale theft of credentials that employees have innocently stored in their work browsers under the impression that they will be safe is of grave concern. Indeed, the implications could reach far beyond just the targeted organization.
Qilin, which most famously attacked pathology lab services provider Synnovis in June 2024, causing chaos across the NHS in London, had previously used the standard double extortion technique, but in July 2024, Sophos’ incident responders spotted weird activity on a single domain controller within a victim’s Active Directory domain.
The gang first obtained access via compromised credentials taken from a VPN portal that lacked multifactor authentication (MFA). Then, 18 days later, its operatives started to conduct lateral movement to a domain controller, where they edited the default domain policy to introduce a logon-based Group Policy Object (GPO).
Th first of these was a PowerShell script that was written to a temporary directory within the shared NTFS directory on the domain controller. This 19-line script attempted to harvest credential data stored within Chrome. The second item was a batch script that contained the commands to execute the first. The combo resulted in the exfiltration of credentials saved on machines connected to the network, and because the two scripts were contained in a logon GPO, they were able to execute on every client when it logged in.
The X-Ops team said Qilin’s operatives seemed so confident this would not be noticed that they left the GPO active for three days – plenty of time for the majority of users to logon to their devices and inadvertently trigger the script. Additionally, once the files containing the credential data were gone, Qilin deleted all the files and cleared the event logs for both the domain controller and the user devices. Only then did they start to encrypt the victim’s files and drop their ransom note.
The research team, comprising Sophos’ Lee Kirkpatrick, Paul Jacobs, Harshal Gosalia and Robert Weiland, said it was only natural that Qilin had targeted Chrome in this way – it holds a majority share of the browser market and according to an April 2024 NordPass surveythe average user has almost 90 work-related passwords, not to mention personal ones, to manage.
!A successful compromise of this sort would mean that not only must defenders change all Active Directory passwords; they should also, in theory, request that end users change their passwords for dozens, potentially hundreds, of third-party sites for which the users have saved their username-password combinations in the Chrome browser,” the team wrote.
“The defenders of course would have no way of making users do that. As for the end-user experience, though virtually every internet user at this point has received at least one ‘your information has been breached’notice from a site that has lost control of their users’ data, in this situation it’s reversed – one user , dozens or hundreds of separate breaches.”
Ransomware gangs are of course known to continuously change up their tactics, techniques and procedures (TTPs) and are – unfortunately – competent innovators when it comes to expanding their repertoire.
In this light, said the X-Ops team, that Qilin would look to change things up having been active for around two years was entirely predictable. However, they concluded, if they are now mining for endpoint-stored credentials, they and others could much more easily get their feet in the door at follow-on targets, or gain useful information on individuals of interest for targeted spear-phishing attacks.
“A dark new chapter may have opened in the ongoing story of cyber crime,” the team said.
What do I do now?
Google touts its Password Manager service as an “effortless” way to help users sign into sites and apps across devices without needing to remember or reuse passwords. The feature is built into Chrome on all platforms, and in every Android application as well.
However, browser-based password managers are far from the last word in security, and are often found to be at risk. Although doing so adds more friction for users, best practice is to use a password manager application, taking care to select one that follows industry best practices for development, and has been tested and assured by a third-party.
In the attack chain described by the X-Ops team, MFA would have been an effective preventative measure as it would have likely prevented Qilin from ever gaining access to any of the victim’s systems. The good news is that MFA use is rising among businesses, but adoption levels still drop off dramatically among SMEs.
“Speaking bluntly, businesses must do better, for their own safety – and in this case, the safety of other companies as well,” the team concluded.
Computer Weekly contacted Google for comment, but had not received a response at the time of publication.