Cyber security news for all

More

    New Qilin Ransomware Attack Exploits VPN Credentials and Steals Chrome Data

    A recent Qilin ransomware attack has been identified, where attackers stole credentials stored in Google Chrome browsers from a select number of compromised endpoints. This incident represents a notable shift in ransomware tactics, combining credential harvesting with ransomware deployment, according to a report by cybersecurity firm Sophos.

    The attack, first detected in July 2024, involved the threat actors gaining access to the target network using compromised VPN credentials that lacked multi-factor authentication (MFA). The attackers then waited 18 days before executing post-exploitation activities.

    Once inside the network, the attackers targeted the domain controller, modifying the default domain policy to introduce a Group Policy Object (GPO) that deployed a PowerShell script named “IPScanner.ps1” to harvest Chrome-stored credentials. A batch script (“logon.bat”) was also used to trigger the PowerShell script during user logins.

    The attackers maintained this GPO on the network for over three days, allowing ample time to collect credentials each time a user logged in. After exfiltrating the stolen credentials, the attackers erased traces of their activities before encrypting files and dropping ransom notes in every directory.

    The theft of Chrome-stored credentials now requires affected users to change their login details for all third-party sites. Sophos researchers warn that this tactic may signal a new phase in cybercrime, where ransomware groups increasingly target endpoint-stored credentials for further exploitation.

    This attack is part of a broader trend of evolving ransomware techniques, with groups like Mad Liberator and Mimic employing various methods such as unsolicited AnyDesk requests and exploiting internet-exposed Microsoft SQL servers for initial access.

    Despite law enforcement actions, ransomware remains highly profitable in 2024, with this year on track to be the most lucrative yet for cybercriminals. Notably, a record $75 million ransom was paid to the Dark Angels ransomware group, highlighting the growing financial stakes in these attacks.

    Recent Articles

    Related Stories