Cybersecurity experts have uncovered a disturbing new tactic by the notorious Qilin ransomware, which is now targeting sensitive data stored in Google Chrome browsers. In a recent breach, hackers successfully exfiltrated credentials from an unnamed organization, raising alarms across the cybersecurity community.
Researchers from Sophos revealed how the cybercriminals infiltrated the IT infrastructure using previously compromised VPN credentials. These credentials, lacking multi-factor authentication (MFA), provided an easy entry point for the attackers. The breach highlights a significant vulnerability in VPN security, leaving many organizations exposed to similar attacks.
The attackers, believed to be part of a sophisticated criminal group, dwelled within the compromised system for 18 days. During this time, they managed to move laterally across the network, infecting multiple domain controllers within the organization’s Active Directory. While all domain controllers were compromised, the extent of the damage varied, with some facing more severe consequences.
Qilin uses double-extortion model
Qilin ransomware operates under the classic double-extortion model, where it first steals sensitive data before encrypting the victim’s devices. The attackers then demand a hefty ransom in exchange for the decryption key. What sets Qilin apart from other ransomware operations is its focus on Google Chrome.
Sophos researchers noted that during their investigation, they observed the attackers stealing credentials stored in Google Chrome browsers on network-connected endpoints. This credential-harvesting technique could have far-reaching implications, potentially affecting other organizations connected to the initial target.
The ransomware’s unique approach to targeting Chrome data amplifies the chaos and disruption caused by traditional ransomware attacks. Cybercriminals continue to evolve their tactics, and this latest development underscores the urgent need for organizations to strengthen their cybersecurity measures.
Sophos warns that organizations must prioritize the use of password managers and enable MFA wherever possible. These measures are critical in minimizing the risk of falling victim to similar attacks. As Qilin ransomware spreads its reach, the cybersecurity landscape faces new challenges in safeguarding sensitive data stored in commonly used applications like Google Chrome.
{{user}} {{datetime}}
{{text}}