In the cyberthreat landscape, Qilin ransomware attack has recently been observed stealing credentials in Chrome browsers. Reports claim that these credentials are being acquired using a small set of compromised end points. In this article, we’ll cover how the attack plays  out and the complexities involved with deploying defense mechanisms. Let’s begin!

Qilin Ransomware Attack Uncovered

As per the information available, the attack was detected in July 2024 and involved the infiltration of the target network through compromised credentials for a virtual private network (VPN) portal. It’s worth mentioning here that the threat actors behind the Qilin ransomware attacks were able to launch post exploit actions for 18 days after initial access.

Their ability to do so prevailed from the lack of multi-factor authentication (MFA). Providing further details pertaining to the attack, researchers researchers Lee Kirkpatrick, Paul Jacobs, Harshal Gosalia, and Robert Weiland stated that:

“Once the attacker reached the domain controller in question, they edited the default domain policy to introduce a logon-based Group Policy Object (GPO) containing two items.”

Out of the two items one is a PowersShell script named “IPScanner.ps1.” The script is designed to harvest credential data that’s stored within the Chrome browser. The second item has been identified as a batch script named “logan.bat.” This script is responsible for contacting commands to execute the first script.

Qilin Ransomware Group Tactics

As far as the attack tactics are concerned, experts have mentioned that the threat actors behind the Qilin ransomware attack left the GPO active for three days.

Such an initiative allowed them to increase the amount of acquired credentials as users logged on to their device knowing that their credentials were being harvested. After acquiring the credential, the hackers took necessary steps for evasion and getting rid of evidence.

Once these steps had been implemented, they then encrypted the files and dropped the ransom note in directories on the compromised system. Users that were affected by the Qilin ransomware attack are now required to change their credential for third-party sites.

Commenting on the attack tactics of threat actor behind the Qilin ransomware attack, researchers stated that:

“Predictably, ransomware groups continue to change tactics and expand their repertoire of techniques. If they, or other attackers, have decided to also mine for endpoint-stored credentials – which could provide a foot in the door at a subsequent target, or troves of information about high-value targets to be exploited by other means – a dark new chapter may have opened in the ongoing story of cybercrime.”

Complexities Pertaining To Protection

Given that the GPO was applied to all machines in the domain, credentials were harvested from any device the user logged into. Such an extensive credential theft could enable follow-up attacks leading to breaches across multiple platforms and services.

Due to such a vast attack surface, deploying effective protection and mitigation measures can be challenging. In light of such circumstances, organizations must use insights from such attacks when developing a security strategy.

Conclusion

The Qilin ransomware attack shows how rapidly evolving tactics can expose vulnerabilities in even well-defended networks. To combat such threats, organizations must prioritize layered security measures, including multi-factor authentication and continuous monitoring. In addition, the use of proactive cybersecurity measures is also necessary to reduce exposure to risk and to improve the security posture.

The sources for this piece include The Hacker News and Bleeping Computer.

The post Qilin Ransomware Attack Used To Steal Chrome Browser Data appeared first on TuxCare.

*** This is a Security Bloggers Network syndicated blog from TuxCare authored by Wajahat Raja. Read the original post at: https://tuxcare.com/blog/qilin-ransomware-attack-used-to-steal-chrome-browser-data/