Search This Blog

Powered by Blogger.

Blog Archive

Labels

Showing posts with label Ransomattacks. Show all posts

Sophos X-Ops Uncovers Major Qilin Ransomware Breach Targeting Chrome Browser Credentials

 

Cybersecurity firm Sophos X-Ops has exposed a significant ransomware breach by the Qilin group, which has introduced a new and highly concerning technique of stealing credentials stored in Google Chrome browsers on compromised systems. Qilin, active since at least 2022, is already notorious for its "double extortion" strategy. This method involves encrypting the victim’s data while simultaneously threatening to leak or sell the data unless a ransom is paid. 

The discovery of Qilin's latest tactic underscores the evolution of ransomware attacks into more sophisticated and damaging operations. The breach came to light following an attack on Synnovis, a UK governmental healthcare service provider. 

The attack began with the exploitation of compromised credentials to access the organization’s VPN portal, which lacked multi-factor authentication (MFA), allowing the attackers initial access. Once inside, the attackers spent 18 days conducting surveillance before moving laterally to a domain controller. 

Here, they modified the Group Policy Objects (GPO) to implement a malicious PowerShell script named `IPScanner.ps1`. This script was designed to harvest login credentials stored in Google Chrome browsers and was automatically executed every time users logged into their devices. 

The stolen credentials were stored in the SYSVOL share, labeled by the infected device's hostname, and subsequently exfiltrated to the attackers' command-and-control server. To avoid detection, the attackers cleared event logs and deleted the local data copies before deploying the ransomware. Given that Google Chrome holds over 65 per cent of the browser market share, the attackers were able to access a large array of usernames and passwords stored by users, raising the scale of the breach. 

This method of credential harvesting introduces a new layer of threat, potentially allowing Qilin to access multiple high-value targets, complicating response efforts for organizations. Affected organizations have been urged to reset all Active Directory passwords and advise users to change the passwords of any sites saved in Chrome. 

This tactic may serve as a "bonus multiplier" for attackers, increasing the chaos inherent in ransomware situations by gaining insights into high-value accounts, making future attacks even more damaging. This breach highlights a growing concern over organizations' abilities to defend against such multifaceted and evolving ransomware threats