The Qilin ransomware group has adopted a dangerous new tactic, deploying a custom stealer to steal account credentials stored in Google Chrome browsers. This alarming development, observed by the Sophos X-Ops team during incident response engagements, marks a significant shift in the ransomware landscape.
How the Attack Works
The attack, analyzed by Sophos researchers, begins with Qilin gaining access to a network through compromised credentials for a VPN portal lacking multi-factor authentication (MFA). This initial access, potentially facilitated by an initial access broker (IAB), allows Qilin to silently infiltrate the network.
After an 18-day period of dormancy, likely spent mapping the network, identifying critical assets, and conducting reconnaissance, Qilin moves laterally to a domain controller. This strategic move allows them to manipulate Group Policy Objects (GPOs), a powerful tool for controlling user settings and software deployments.
Qilin modifies the GPOs to execute a PowerShell script named ‘IPScanner.ps1’ on all machines logged into the domain network. This script, triggered by a batch script ‘logon.bat’ also included in the GPO, is designed to collect credentials stored in Google Chrome.
The batch script is configured to run every time a user logs into their machine, effectively triggering the PowerShell script to steal credentials. Stolen credentials are then saved on the ‘SYSVOL’ share under the names ‘LD’ or ‘temp.log.’
The Scope of the Threat
The stolen credentials are then sent to Qilin’s command and control (C2) server, while local copies and related event logs are wiped to conceal the malicious activity. This stealthy approach allows Qilin to operate undetected, maximizing their potential for damage.
Eventually, Qilin deploys its ransomware payload, encrypting data on the compromised machines. This final stage of the attack effectively paralyzes the targeted organization, demanding a ransom for the decryption key.
Another GPO and a separate batch file ‘run.bat’ are used to download and execute the ransomware across all machines in the domain, ensuring a widespread impact.
The Impact of Credential Theft
Qilin’s targeting of Chrome credentials poses a serious threat to organizations, making protecting against ransomware attacks even more challenging. The GPO applied to all machines in the domain, meaning every device a user logs into is subject to the credential harvesting process.
This widespread credential theft could enable follow-up attacks, lead to breaches across multiple platforms and services, and significantly complicate response efforts. The stolen credentials could be used to access sensitive data, disrupt operations, and even launch further attacks on the organization.
The impact of this attack extends beyond the immediate ransomware incident. Organizations must change all Active Directory passwords and request that end users change their passwords for numerous third-party sites where they have saved their username-password combinations in the Chrome browser.
Mitigating the Risk
Organizations can mitigate this risk by implementing strict policies that forbid the storage of secrets on web browsers. This simple step significantly reduces the potential for credential theft.
Additionally, implementing multi-factor authentication (MFA) is crucial in protecting accounts against hijacks, even in the case of credential compromises. MFA adds an extra layer of security, making it much harder for attackers to gain access to accounts.
Finally, implementing the principles of least privilege and segmenting the network can significantly hamper a threat actor’s ability to spread on the compromised network. By limiting user privileges and isolating different network segments, organizations can prevent attackers from moving laterally and gaining access to critical systems.
Conclusion
Qilin’s new tactic highlights the ever-evolving nature of ransomware attacks. The group’s focus on stealing Chrome credentials poses a significant risk to organizations, demanding a comprehensive approach to cybersecurity.
Organizations must prioritize robust security measures, including MFA, strict credential storage policies, and network segmentation, to protect themselves from this evolving threat. The consequences of a successful Qilin attack can be devastating, impacting not only data security but also operational stability and the organization’s reputation.
