The cyber criminal Qilin ransomware gang is stepping up its ransomware attacks by not only stealing victims’ data, but also harvesting credentials stored in Google Chrome browsers on their endpoints. This new technique, never seen before, has raised concerns among security experts.
Qilin, known for attacking Synnovis in June 2024, had previously used the double extortion technique, but in July 2024, Sophos’ incident responders discovered unusual activity in a victim’s Active Directory domain. The gang gained access through compromised credentials from a VPN portal without MFA and then moved to a domain controller to introduce a logon-based GPO to steal credential data stored in Chrome.
The X-Ops team revealed that Qilin left the GPO active for three days to ensure most users inadvertently triggered the script. Once the files were exfiltrated, Qilin deleted them and cleared event logs before encrypting files and dropping a ransom note.
The team warned that defenders must change all Active Directory passwords and request users to change passwords on third-party sites saved in Chrome. With Qilin targeting Chrome due to its majority market share and prevalence of saved passwords, the aftermath of a successful compromise could lead to multiple breaches for users.
Browser-based password managers, like Google’s Password Manager, may not offer the best security. It is recommended to use a password manager application following industry best practices. MFA would have prevented Qilin’s access in the described attack chain, highlighting the importance of its adoption by businesses, especially SMEs.
The X-Ops team emphasized the need for businesses to enhance their security measures to protect themselves and other companies from cyber threats. Despite reaching out to Google for comment, Computer Weekly had not received a response at the time of publication.