Qilin Ransomware: The Rising Threat of Credential Theft from Google Chrome

In the ever-evolving landscape of cybersecurity threats, ransomware groups are constantly adapting their tactics to maximize their impact and evade detection. The Qilin ransomware group, notorious for their sophisticated attacks, has recently been observed deploying a new tactic that should alarm organizations and individuals alike: the theft of account credentials stored in Google Chrome browsers. This development, highlighted by the team during recent incident response engagements, represents a significant escalation in the threat posed by ransomware attacks.

Understanding the Qilin Attack: A Detailed Overview
The attack that brought this new tactic to light began with Qilin gaining unauthorized access to a corporate network. The initial breach was accomplished through compromised credentials for a VPN portal that lacked multi-factor authentication (MFA)—a common yet critical security oversight. Once inside the network, the attackers exhibited an unusual degree of patience, remaining dormant for 18 days. This period of inactivity suggests that Qilin may have purchased access to the network from an initial access broker (IAB), and spent the time mapping the network, identifying critical assets, and conducting reconnaissance.

After the dormancy period, Qilin launched the next phase of their attack by moving laterally within the network to a domain controller. Here, they modified Group Policy Objects (GPOs) to execute a PowerShell script named IPScanner.ps1 across all machines connected to the domain. This script was part of a carefully orchestrated operation to steal credentials stored in Google Chrome.

The execution of the PowerShell script was triggered by a batch file (logon.bat) included in the GPO, which ran every time a user logged into their machine. The script harvested credentials from Chrome and saved them in files named LD or temp.log on the SYSVOL share. These stolen credentials were then exfiltrated to Qilin’s command and control (C2) server, after which local copies and event logs were wiped to cover the attackers' tracks. With the credentials in hand, Qilin deployed their ransomware payload, encrypting data across the compromised machines.

To ensure maximum disruption, another GPO and a separate batch file (run.bat) were used to download and execute the ransomware across all machines in the domain, completing the attack.

The Implications: Increased Complexity in Defending Against Ransomware
Qilin’s approach to targeting Chrome credentials adds a new layer of complexity to defending against ransomware attacks. By modifying GPOs to deploy a credential-stealing script across the entire domain, Qilin ensured that every device logged into by a user during the script’s active period was compromised. The widespread theft of credentials from all machines in the domain not only facilitated the initial ransomware attack but also set the stage for potential follow-up attacks and broader breaches.

The implications of such an attack are far-reaching. Extensive credential theft can lead to the compromise of multiple platforms and services, significantly complicating incident response efforts. Even after the ransomware incident is resolved, the stolen credentials could continue to pose a threat, enabling attackers to re-enter the network or target related accounts.

Mitigating the Risk: Essential Security Measures
To protect against this new breed of ransomware attack, organizations must take proactive steps to secure their networks and data. Here are some key measures to consider:

1. Prohibit Storage of Credentials in Browsers: Organizations should enforce strict policies that forbid storing passwords and other sensitive information in web browsers like Chrome. Using dedicated password managers with enhanced security features is a safer alternative.
2. Implement Multi-Factor Authentication (MFA): MFA is a critical defense against credential-based attacks. Even if credentials are compromised, MFA can prevent unauthorized access by requiring an additional verification step.
3. Apply the Principle of Least Privilege: By limiting user permissions to only what is necessary for their roles, organizations can minimize the damage potential of compromised accounts.
4. Network Segmentation: Dividing the network into smaller, isolated segments can hinder an attacker’s ability to move laterally and escalate their privileges within the network.
5. Regularly Update Security Policies and Practices: Continuous monitoring and updating of security practices, including patch management and user training, are vital in maintaining a robust defense against evolving threats.