The Qilin ransomware group has recently escalated its cyber tactics by introducing a custom credential stealer specifically designed to target account
The Qilin ransomware group has recently escalated its cyber tactics by introducing a custom credential stealer specifically designed to target account credentials stored in Google Chrome browsers. This new development marks a significant and concerning shift in the ransomware landscape, as observed by the Sophos X-Ops team during their incident response engagements.
Attack Overview
The attack analyzed by Sophos researchers began when Qilin gained unauthorized access to a network through compromised credentials for a VPN portal that lacked multi-factor authentication (MFA). The initial breach was followed by an 18-day period of dormancy, suggesting that Qilin may have purchased their way into the network from an initial access broker (IAB). During this time, the attackers likely conducted thorough reconnaissance, mapping the network, identifying critical assets, and preparing for their next moves.
After the 18-day dormancy period, Qilin’s operators executed a lateral move to a domain controller, where they modified Group Policy Objects (GPOs) to deploy a PowerShell script named ‘IPScanner.ps1’ across all machines connected to the domain network. This script was designed to harvest credentials stored in Google Chrome browsers, a new and alarming tactic that has raised the stakes in ransomware attacks.
The Attack in Detail
The PowerShell script was executed through a batch script called ‘logon.bat,’ which was included in the modified GPO. The batch script was configured to trigger the execution of the PowerShell script each time a user logged into their machine, ensuring that the credential-stealing process was pervasive across the network. The stolen credentials were then saved on the ‘SYSVOL’ share, under file names such as ‘LD’ or ‘temp.log.’
Once the credentials were harvested, they were transmitted to Qilin’s command and control (C2) server. To cover their tracks, the attackers wiped the local copies of the stolen credentials and erased related event logs, making it difficult for defenders to detect the malicious activity. Following the credential theft, Qilin deployed their ransomware payload, encrypting data on the compromised machines and causing widespread disruption.
To execute the ransomware across all machines in the domain, Qilin utilized another GPO and a separate batch file called ‘run.bat.’ This batch file was responsible for downloading and executing the ransomware, further amplifying the attack’s impact.
The Complexity of Defense
Qilin’s innovative approach to targeting Chrome credentials has introduced a new level of complexity to defending against ransomware attacks. The application of the GPO across all machines in the domain meant that every device a user logged into was vulnerable to the credential-harvesting process. As a result, the script potentially stole credentials from all machines connected to the domain and used by employees during the period the script was active.
This extensive credential theft could lead to a cascade of follow-up attacks, enabling widespread breaches across multiple platforms and services. The situation is particularly concerning because it complicates response efforts and introduces a lingering, long-term threat even after the ransomware incident has been resolved.
A successful compromise of this nature requires defenders not only to change all Active Directory passwords but also to request that end users change their passwords for numerous third-party sites where they may have saved their username-password combinations in the Chrome browser. The scale of such a task is daunting and underscores the severe impact of Qilin’s credential-stealing tactics.
Mitigation Strategies
Organizations can take several steps to mitigate the risk posed by Qilin’s new tactics. One of the most effective strategies is to implement strict policies that prohibit the storage of sensitive credentials in web browsers. This measure reduces the risk of credential theft, even if an attacker gains access to a device or network.
Additionally, implementing multi-factor authentication (MFA) is crucial in protecting accounts against hijacking, even if credentials are compromised. MFA adds an extra layer of security, making it significantly harder for attackers to gain unauthorized access to accounts.
Finally, organizations should adopt the principles of least privilege and network segmentation. These practices limit a threat actor’s ability to move laterally within a network, thereby reducing the potential damage that can be caused by a successful breach. By restricting access to critical systems and segmenting the network, organizations can create barriers that slow down or stop attackers from achieving their objectives.
The Growing Threat of Qilin
Qilin is not just another ransomware group; it represents an unconstrained and multi-platform threat with connections to the Scattered Spider social engineering experts. The group’s ability to evolve and adapt its tactics poses a significant risk to organizations across various industries. As ransomware attacks become more sophisticated, the importance of robust cybersecurity defenses cannot be overstated.
In conclusion, the emergence of Qilin’s credential-stealing tactics highlights the ever-evolving nature of ransomware threats. Organizations must remain vigilant and proactive in their cybersecurity efforts to defend against these increasingly sophisticated attacks. By implementing strong security measures and staying informed about the latest threats, organizations can better protect themselves from the devastating impact of ransomware.
COMMENTS