Artur Marciniec - Fotolia
New Qilin tactics a ‘bonus multiplier’ for ransomware chaos
Sophos X-Ops caught the Qilin ransomware gang stealing credentials stored by victims' employees in Google Chrome, heralding further cyber attacks and breaches down the line.
The cyber criminal Qilin ransomware gang seems to be upping the stakes in its ransomware attacks, stealing not just their victims’ data, but harvesting credentials stored within Google Chrome browsers on their endpoints, something that has never been observed before.
Described as a “bonus multiplier for the chaos already inherent in ransomware situations” by the Sophos X-Ops research team that first uncovered the novel technique, the wholesale theft of credentials that employees have innocently stored in their work browsers under the impression that they will be safe is of grave concern. Indeed, the implications could reach far beyond just the targeted organisation.
Qilin had previously favoured the standard double extortion technique, but in July 2024, Sophos’ incident responders spotted weird activity on a single domain controller within a victim’s Active Directory domain.
The gang first obtained access via compromised credentials taken from a VPN portal that lacked multifactor authentication (MFA). Then, 18 days later, its operatives started to conduct lateral movement to a domain controller, where they edited the default domain policy to introduce a logon-based Group Policy Object (GPO).
Th first of these was a PowerShell script that was written to a temporary directory within the shared NTFS directory on the domain controller. This 19-line script attempted to harvest credential data stored within Chrome. The second item was a batch script that contained the commands to execute the first. The combo resulted in the exfiltration of credentials saved on machines connected to the network, and because the two scripts were contained in a logon GPO, they were able to execute on every client when it logged in.
The X-Ops team said Qilin’s operatives seemed so confident this would not be noticed that they left the GPO active for three days – plenty of time for the majority of users to logon to their devices and inadvertently trigger the script. Additionally, once the files containing the credential data were gone, Qilin deleted all the files and cleared the event logs for both the domain controller and the user devices. Only then did they start to encrypt the victim’s files and drop their ransom note.
The research team, comprising Sophos’ Lee Kirkpatrick, Paul Jacobs, Harshal Gosalia and Robert Weiland, said it was only natural that Qilin had targeted Chrome in this way – it holds a majority share of the browser market and according to an April 2024 NordPass survey, the average user has almost 90 work-related passwords, not to mention personal ones, to manage.
“A successful compromise of this sort would mean that not only must defenders change all Active Directory passwords; they should also, in theory, request that end users change their passwords for dozens, potentially hundreds, of third-party sites for which the users have saved their username-password combinations in the Chrome browser,” the team wrote.
“The defenders of course would have no way of making users do that. As for the end-user experience, though virtually every internet user at this point has received at least one ‘your information has been breached’notice from a site that has lost control of their users’ data, in this situation it’s reversed – one user, dozens or hundreds of separate breaches.”
Ransomware gangs are of course known to continuously change up their tactics, techniques and procedures (TTPs) and are – unfortunately – competent innovators when it comes to expanding their repertoire.
In this light, said the X-Ops team, that Qilin would look to change things up having been active for around two years was entirely predictable. However, they concluded, if they are now mining for endpoint-stored credentials, they and others could much more easily get their feet in the door at follow-on targets, or gain useful information on individuals of interest for targeted spear-phishing attacks.
“A dark new chapter may have opened in the ongoing story of cyber crime,” the team said.
Who are Qilin?
Named for a mythical Chinese unicorn, Qilin, which was also known as Agenda for a while, emerged in 2022 with a highly-customisable ransomware locker with both Golang and Rust versions. The Trend Micro analysts who first discovered it found the ransomware's developer had gone to great lengths to make sure Qilin's affiliates were able to specify and configure various settings, and tailor the ransomware to specific targets.
The gang targets enterprise and other high-value targets through phishing and spear phishing emails, and also exploits exposed applications and interfaces, such as remote desktop protocol (RDP). It is thought to have hit over 100 targets in the past couple of years, and has been ramping up its attacks in recent months.
Some of the gang's most noteworthy victims in the UK have included the Big Issue, and pathology lab services provider Synnovis, which was attacked in June, causing significant disruption to NHS services in London. Note that there is no evidence at the time of writing to link the techniques described by the Sophos team to either of these referenced attacks.
What do I do now?
Google touts its Password Manager service as an “effortless” way to help users sign into sites and apps across devices without needing to remember or reuse passwords. The feature is built into Chrome on all platforms, and in every Android application as well.
However, browser-based password managers are far from the last word in security, and are often found to be at risk. Although doing so adds more friction for users, best practice is to use a password manager application, taking care to select one that follows industry best practices for development, and has been tested and assured by a third-party.
In the attack chain described by the X-Ops team, MFA would have been an effective preventative measure as it would have likely prevented Qilin from ever gaining access to any of the victim’s systems. The good news is that MFA use is rising among businesses, but adoption levels still drop off dramatically among SMEs.
“Speaking bluntly, businesses must do better, for their own safety – and in this case, the safety of other companies as well,” the team concluded.
Computer Weekly contacted Google for comment, but had not received a response at the time of publication.
Read more about ransomware
- Proposals from legislators in Washington DC could shake up the global ransomware ecosystem and give law enforcement sweeping new powers.
- IBM publishes data on the spiralling costs of cyber attacks and data breaches, while researchers identify what appears to be the largest ransomware payment ever made.
- The London Borough of Hackney has been reprimanded by the ICO over a series of failures that led to a devastating ransomware attack.