The infamous Qilin ransomware group has deployed a novel tactic to steal credentials stored in Google Chrome. The credential-harvesting techniques significantly expand the scope of ransomware and the number of potential attacks in the future.
How is the Qilin ransomware group stealing credentials stored in Google Chrome?
The Qilin ransomware group has been active for over two years. Hence, they are well aware of potential vulnerabilities inside large networks.
The entire attack had an 18-day gestation period, indicated the Sophos X-Ops team that discovered the attack vectors and modules. This strongly suggests Qilin may have bought compromised login and authentication credentials for a large network from an Initial Access Broker (IAB).
By staying undetected for 18 days, Qilin reportedly mapped the network, identified critical assets, and conducted reconnaissance. Thereafter, using their ill-gained knowledge, the Qilin group reportedly accessed a domain controller within the target’s Active Directory (AD) domain. They then deployed a novel credential-harvesting technique inside the same.
By altering the default domain policy, the group could drop into a logon-based Group Policy Object (GPO). This contained a PowerShell script that harvested credentials saved in Chrome browser installations on victims’ computers.
How to stay protected from the new cyberattack method?
The Qilin ransomware group is infamous for its double-extortion tactics. The group steals data, encrypts systems, and then threatens to dump the data on the internet or sell it if the ransom isn’t paid. The latest technique, however, indicates the group may have diversified.
The new technique is devastating primarily because Google Chrome currently dominates the browser market. Recent cybersecurity research has indicated an average internet user stores about 87 work-related passwords and a lot more personal ones inside browsers.
By gaining access to stored credentials, the Qilin ransomware group could significantly expand its scope, reach, and impact. A single compromised user could lead this group to several third-party platforms and compromise their defenses with login credentials.
One of the most obvious prevention techniques would be to stop storing passwords in web browsers. Users could rely on third-party platforms for this purpose.
Based on the attack methods, internet users could also stay safe by avoiding VPN services with dubious track records. Finally, users must opt for Two Factor Authentication (2FA) or Multi-Factor Authentication (MFA) wherever possible.
2024-08-23 15:06:10