Illustration: JMiks | Shutterstock
The Qilin ransomware group has conducted a mass theft of credentials from Google Chrome browsers with a targeted network. The attackers encrypted systems and harvested a trove of sensitive login information.
In July 2024, researchers observed unusual activity on the domain controller with a targeted organisation’s Active Directory (AD) domain. They discovered that attackers had gained initial access to the network through compromised credentials, exploiting a VPN portal lacking multifactor authentication (MFA).
Researchers found that attackers lingered in the network for 18 days before moving laterally to a domain controller. They altered the default domain policy by introducing a logon-based Group Policy Object (GPO) that executed a PowerShell script, IPScanner.ps1, designed to harvest credential data stored in Chrome browsers.
“Once the attacker reached the domain controller in question, they edited the default domain policy to introduce a logon-based Group Policy Object (GPO) containing two items,” explained researchers.
This script, coupled with a batch script (logon.bat), activated the credential-stealing process whenever a user logged in to their machine.
The credentials are harvested by the IPScanner.ps1 script was saved in a newly created directory on the domain’s SYSVOL share, named after the host devices. Confident in their stealth, the attackers left the GPO active for over three days, allowing them to collect substantial credential data from endpoints across the network.
Researchers also discovered that attackers deleted the harvested files and cleared event logs to cover their tracks before proceeding to encrypt the affected systems and drop ransom notes.
Notably, the domain controller where the GPO was initially configured remained unencrypted, suggesting a possible oversight or a deliberate strategy to retain access for further exploitation.
The focus on Chrome browsers, which dominate the market, underscores the attackers’s intent to maximise their hauls of passwords. The sheer volume of credentials potentially compromised in this attack is staggering, with average users storing around 87 work-related passwords and twice as many personal ones in their browsers.
The attack not only jeopardises the security of the affected organisation but also opens the door to further breaches across third-party sites where these credentials might be used.
The ripple effects of such a compromise are significant. Researchers explain that beyond the immediate need to change all Active Directory passwords, organisations would face the arduous task of persuading end users to update passwords across potentially hundreds of external accounts.
Update passwords across potentially hundreds of external accounts. Given that each compromised user could represent dozens or even hundreds of separate breaches, the scale of the problem is daunting.
Researchers are worried by the Qilin ransomware group’s latest move. By targeting endpoint-stored credentials, attackers expand their potential impact far beyond the initial victim organisation. These credentials could be used to gain a foothold in subsequent targets or to amass intelligence on high-value targets for future exploitation.
Cybersecurity experts have urged organisations to deploy multi-factor authentication (MFA) as soon as possible. Despite growing adoption rates, smaller businesses remain vulnerable due to low MFA usage.
“Organisations and individuals should rely on password manager applications that employ industry best practices for software development, and which are regularly tested by an independent third party,” concluded researchers.
In the News: Hacker tried breaking into registry to fake his death
