A recent Qilin ransomware attack targeted credentials that were stored in Google Chrome browsers on a portion of the impacted network’s endpoints. Researchers said the move is an “unusual tactic, and one that could be a bonus multiplier for the chaos already inherent in ransomware situations.”
The incident illustrates the importance of multi-factor authentication - the attacker obtained initial access via compromised credentials for a VPN portal sans MFA - and serves as a warning about the insecure nature of browser-based password managers.
“Organizations and individuals should rely on password managers applications that employ industry best practices for software development, and which are regularly tested by an independent third party,” said Lee Kirkpatrick, Paul Jacobs, Harshal Gosalia and Robert Weiland, researchers with Sophos, in a Thursday breakdown of the incident. “The use of a browser-based password manager has been proven to be insecure time and again.”
Researchers observed the ransomware attack in July against the unnamed victim. After gaining initial access, the attacker stayed quiet for 18 days, potentially indicating that they were an Initial Access Broker, with the aim of infiltrating systems before selling that unauthorized access to other threat groups.
After the pause in activity, the threat group moved laterally to a domain controller using compromised credentials, where they updated the default domain policy to introduce a new logon-based Group Policy Object - a collection of policy settings - with scripts that attempted to harvest Chrome browser credential data for machines connected to the network. Since the scripts were in a logon GPO, they executed on each client machine as it logged in over the course of three days, said researchers.
“The use of a browser-based password manager has been proven to be insecure time and again.”
Christopher Budd, director of Sophos X-Ops, said this “combination of credential harvesting, targeting browsers, and using configuration settings at logon to execute the harvesting technique to gather as many credentials from as many Google Chrome browsers in the organization as possible” was noteworthy.
After exfiltrating the stolen credentials, the attackers then deleted all files and cleared the event logs for the domain controller and infected machines, making it difficult for incident response teams to analyze the extent of the attack. They then encrypted files, executed ransomware and dropped a ransom note.
On top of the threat of ransomware, this type of attack creates headaches for organizations. Not only do all Active Directory passwords need to be changed, but all end users need to change any passwords saved in the Chrome browser, which could be as many as dozens or even hundreds of credentials.
The attack was carried out by Qilin, a two-year-old ransomware group that has often used double extortion tactics to steal victims’ data in addition to encrypting their systems, and then threatening to sell or expose that stolen data to put further pressure on the organization to pay. The ransomware-as-a-service was most recently linked to the high-profile attack against blood testing company Synnovis, leading to appointments being postponed at several London hospitals.
“Predictably, ransomware groups continue to change tactics and expand their repertoire of techniques. The Qilin ransomware group may have decided that, by merely targeting the network assets of their target organizations, they were missing out,” said researchers. “If they, or other attackers, have decided to also mine for endpoint-stored credentials – which could provide a foot in the door at a subsequent target, or troves of information about high-value targets to be exploited by other means – a dark new chapter may have opened in the ongoing story of cybercrime.”