This post is also available in:
עברית (Hebrew)
Sophos X-Ops research has uncovered that the notorious Qilin ransomware group has evolved its tactics to include harvesting passwords from Google Chrome.
Qilin is known for its June attack on Synnovis, a key service provider for multiple UK healthcare institutions which resulted in a critical pause of services at five London hospitals. In July, Sophos X-Ops researchers identified a new method employed by Qilin during a separate attack, revealing a sophisticated credential theft operation.
The attack involved the use of a new script called IPScanner.ps1, designed to exploit the incredibly popular Google Chrome browser. The script enabled attackers to harvest credentials from any user who stored passwords in the browser. This is a feature widely used by many Chrome users, storing both personal and work-related passwords. Retrieving this mass number of passwords poses a severe security risk.
Qilin gained initial access to the victim’s network using compromised VPN credentials, exploiting the absence of multifactor authentication. The attackers lingered in the network for nearly three weeks before initiating lateral movement. During this period, malicious scripts ran on user machines as they logged in, demonstrating a high level of confidence in their stealth. For over three days, Qilin’s code remained active, allowing the group to exfiltrate stolen credentials before deleting all files and logs from the domain controller and infected computers. After deleting this evidence, the group left their Ransom notes.
“A successful compromise of this sort would mean that not only must defenders change all Active Directory passwords; they should also (in theory) request that end users change their passwords for dozens, potentially hundreds, of third-party sites for which the users have saved their username-password combinations in the Chrome browser,” the Sophos report notes.
Sophos researchers express concern that this tactic might signify a troubling new trend in cybercrime, emphasizing that If Qilin or other attackers adopt similar methods to mine endpoint-stored credentials, it could pave the way for further attacks or provide valuable information about targets. This development highlights the evolving sophistication of cyber threats and the urgent need for enhanced security measures.
