The Qilin ransomware gang, known for its ransomware attacks, has taken their tactics to a new level by stealing credentials stored within Google Chrome browsers on their victims’ endpoints. This novel technique, uncovered by the Sophos X-Ops research team, adds an extra layer of chaos to ransomware situations.
This wholesale theft of credentials stored in work browsers can have far-reaching implications beyond just the targeted organization. Qilin, which made headlines for its attack on Synnovis in June 2024, has evolved its techniques to include the theft of credentials from Chrome browsers.
By gaining access through compromised credentials from a VPN portal lacking multifactor authentication, Qilin was able to move laterally within a victim’s Active Directory domain. They used a logon-based Group Policy Object to execute scripts that harvested credential data stored within Chrome on connected machines.
Qilin’s confidence in this technique was evident as they left the GPO active for three days, allowing the majority of users to inadvertently trigger the script. After exfiltrating the credential data, they encrypted the victim’s files and issued a ransom note.
The X-Ops team highlighted the significance of targeting Chrome due to its market dominance and users’ reliance on it for password management. Defenders are faced with the challenge of changing all Active Directory passwords and potentially hundreds of third-party passwords saved in Chrome.
Ransomware gangs continuously evolve their tactics, and the X-Ops team warned that Qilin’s new approach could facilitate further attacks or spear-phishing attempts on individuals of interest.
What do I do now?
Google’s Password Manager offers convenience but may not provide the highest level of security. It is recommended to use a third-party password manager application that follows industry best practices and has been tested for security.
Implementing multifactor authentication can help prevent unauthorized access to systems, as demonstrated in the attack chain described by the X-Ops team. Businesses, especially SMEs, are urged to prioritize cybersecurity measures to protect themselves and other companies.
Computer Weekly reached out to Google for comment but had not received a response at the time of publication.
