Qilin ransomware [1] [3] [4] [6] [7] [8], a Russia-linked cybercrime group [2] [5], has been observed stealing Google Chrome credentials as part of their ransomware attacks.

Description

Qilin ransomware [1] [3] [4] [6] [7] [8], known for the recent Synnovis attack [1], has been observed stealing Google Chrome credentials as part of their ransomware attacks. This new tactic [1] [2] [4] [5], discovered by researchers from the Sophos X-Ops team [2], allows the attackers to extend the reach of their attacks beyond the original target [2]. In a recent attack analyzed by Sophos [2], Qilin used compromised credentials to access a VPN portal without multi-factor authentication [2] [5], likely obtained through an initial access broker [2]. After a period of inactivity [2], the attackers moved laterally to compromise a domain controller and harvest credentials stored in Chrome browsers on connected machines [2] [5]. The stolen credentials are stored in files named after the device’s hostname. Sophos detected this tactic and warned of the potential impact on defenders and end users [1], emphasizing the importance of changing passwords for third-party sites and remaining vigilant against further attacks [1]. This targeting of Chrome credentials represents a dark new chapter in the ransomware story [2], as it provides attackers with broad access to valuable information for future exploitation [2]. Operating a Ransomware-as-a-Service criminal operation since October 2022 [5], Qilin recognized the value of targeting Chrome credentials [5], potentially gaining access to high-value targets and applications [5], highlighting the evolving threat landscape organizations face in the realm of cybercrime [5]. This attack highlights the evolving tactics of ransomware groups and the potential for future credential harvesting to aid in cybercrime [8].

Conclusion

The theft of Google Chrome credentials by Qilin ransomware poses a significant threat to organizations and individuals. It underscores the importance of robust cybersecurity measures, such as multi-factor authentication and regular password changes, to mitigate the risk of such attacks. As ransomware groups continue to evolve their tactics, organizations must remain vigilant and proactive in defending against cyber threats. The targeting of Chrome credentials by Qilin highlights the ever-changing landscape of cybercrime and the need for constant adaptation and improvement in cybersecurity practices.

References

[1] https://www.infosecurity-magazine.com/news/qilin-steal-credentials-google/
[2] https://www.forbes.com/sites/daveywinder/2024/08/25/ransomware-gang-targets-google-chrome-users-in-surprise-new-threat-twist/
[3] https://news.sophos.com/en-us/2024/08/22/qilin-ransomware-caught-stealing-credentials-stored-in-google-chrome/
[4] https://www.computerweekly.com/news/366608129/New-Qilin-tactics-a-bonus-multiplier-for-ransomware-chaos
[5] https://www.inkl.com/news/ransomware-hackers-targeting-google-chrome-credentials
[6] https://securityaffairs.com/167496/cyber-crime/qilin-ransomware-steal-google-chrome-passwords.html
[7] https://www.techradar.com/pro/security/google-chrome-details-can-be-stolen-by-this-clever-new-ransomware
[8] https://thehackernews.com/2024/08/new-qilin-ransomware-attack-uses-vpn.html