Introduction
In a concerning development for cybersecurity experts and internet users alike, the Russia-linked cybercrime group Qilin has been caught stealing credentials stored within Google Chrome browsers. This new tactic adds an unexpected layer to the already devastating ransomware threat, potentially extending the reach of attacks beyond their original targets.
Qilin: A New Player in the Ransomware Game
Qilin, though relatively new to the cybercrime scene, has quickly made a name for itself:
- Emerged in October 2022
- Operates a Ransomware-as-a-Service criminal operation
- Believed to be behind the June 2024 attacks on U.K. hospitals
The Chrome Credential Theft Tactic
Researchers from the Sophos X-Ops team analyzed a recent Qilin attack in July 2024, uncovering this new and unusual tactic. Here's how it works:- Attackers compromise a VPN portal using credentials likely obtained from an initial access broker
- After a period of inactivity, they move laterally to compromise a domain controller
- Domain policy is edited to include scripts that:
- Harvest credentials stored in Chrome browsers
- Execute the harvesting commands
- Scripts execute on each client machine as it logs in, potentially affecting the entire network
"This combination resulted in harvesting of credentials saved in Chrome browsers on machines connected to the network," the Sophos researchers reported.
Why Target Chrome?
- Chrome accounts for 65% of the browser market
- On average, 87 work-related passwords and 174 personal passwords are stored per machine
Implications of This New Tactic
The potential consequences of this new approach are significant:- Provides attackers with access to a wide range of applications where credentials are stored
- Could offer entry points for subsequent targets
- May yield valuable information about high-value targets for future exploitation
"Beyond the ransomware tactics, this would give the attackers broad access to any application where credentials have been stored," noted Glenn Chisholm, chief product officer at Obsidian Security.
Other Novel Ransomware Threats
In a separate investigation, Sophos X-Ops uncovered another ransomware group, Mad Liberator, using an unusual initial access tactic:- Emerged in July 2024
- Uses remote access tools like Anydesk without prior contact with the victim
- Follows a four-step process:
- Sends an unsolicited connection request
- Uploads a disguised file while disabling user input
- Accesses the victim's OneDrive to exfiltrate files
- Distributes a ransom note across the network
Conclusion
These new tactics employed by Qilin and Mad Liberator represent a significant evolution in ransomware threats. By targeting stored credentials and using novel initial access methods, these groups are opening up new avenues for attack that could have far-reaching consequences for organizations and individuals alike.As the cybersecurity landscape continues to evolve, it's clear that both companies and users need to remain vigilant and adopt robust security practices to protect against these increasingly sophisticated threats.