Qilin ransomware, the criminal ring behind the chaos at London hospitals this summer, has evolved its tactics to harvest passwords from Google Chrome, Sophos X-Ops research has revealed.
In June 2024, Qilin, known for double extortion practices, targeted Synnovis, a governmental service provider to various UK healthcare providers and hospitals, triggering a pause on critical services at five London hospitals.
In July 2024, Sophos X-Ops researchers observed a separate incident, which uncovered an unusual Qilin tactic. An attack against an undisclosed organization led to “en masse theft of credentials stored in Google Chrome browsers on a subset of the network’s endpoints.”
This credential harvesting technique has potential implications beyond the victim organization.
“The Qilin ransomware group may have decided that, by merely targeting the network assets of their target organizations, they were missing out,” researchers said.
In a recent attack, Qilin deployed a new script called IPScanner.ps1, targeting Chrome browsers, which hold over 65% of the browser market. A successful attack means that hackers gain the credentials of each user that stores passwords in the browser.
A recent survey indicates that the average user has 87 work-related passwords and twice as many personal ones. This could easily become a network defender’s nightmare.
“A successful compromise of this sort would mean that not only must defenders change all Active Directory passwords; they should also (in theory) request that end users change their passwords for dozens, potentially hundreds, of third-party sites for which the users have saved their username-password combinations in the Chrome browser,” the Sophos report reads.
Qilin used compromised VPN credentials from elsewhere to gain initial access to the organization's network. With no multifactor authentication in place, attackers dwelled in the network for 18 days and only then started to move laterally.
The malicious scripts would execute on each user's machine as they logged in. Qilin left the code active for over three days, which Sophos calls a display of confidence that they wouldn’t be caught. Once they were done exfiltrating stolen credentials, attackers deleted all the files and logs for the domain controller and the infected computers. Ransom notes soon followed.
Researchers are worried that this tactic may have opened “a dark new chapter” of cybercrime.
“If they, or other attackers, have decided to also mine for endpoint-stored credentials, it could provide a foot in the door at a subsequent target or troves of information about high-value targets to be exploited by other means,” Sophos concludes.
Your email address will not be published. Required fields are markedmarked