Sensitive data stored in Google Chrome has been successfully exfiltrated using Qilin ransomware thanks to some compromised VPN credentials.
The data theft was discovered by security company Sophos during an investigation into recent Qilin ransomware-related data breaches.
The cyber attack saw a large amount of credentials stolen from Google Chrome browsers, showing that even the best VPN can't keep you safe if you don't follow good cybersecurity practices.
How did the data theft happen?
The hackers were able to use compromised login credentials for a VPN portal to gain access to the environment. Said VPN portal did not have multi-factor authentication (MFA) enabled.
After gaining access to the environment, the hacker waited 18 days before increasing their activity on the system, moving laterally across it using compromised credentials to access a domain controller.
Once the cyber attacker had gained access to this domain controller, they edited its default domain policy to introduce malicious code to it, including a specific script that harvested credential data stored within Google Chrome. They then deployed a second script that prompted the domain control to execute the first script, allowing them to harvest any credentials saved to the Google Chrome browsers of machines connected to the network. These scripts were able to be executed on each client machine that logged on to the network.
This most likely led to a large amount of passwords being stolen. It also means that the data breached for each individual Chrome browser could lead to hundreds of individual data breaches, especially as the average person has 225 passwords for both business and personal logins. If any of these passwords were repeated on logins not saved in Google Chrome, it could potentially give hackers access to these accounts, too.
This cyber attack really highlights the importance of regularly updating passwords, using a password manager so you can create unique login credentials for each account, and enabling MFA. While I can't definitively say that updated credentials and MFA would have stopped the hackers entirely, it may have at least slowed them down and alerted the owner of the credentials that someone was trying to access their account, allowing them to intervene.
What is Qilin ransomware?
Qilin ransomware refers to the malicious software deployed by the Qilin ransomware group.
The group itself has been active for around two years, however it really became notorious in June of this year thanks to its attack on Synovis, a scientific and medical partnership between SYNLAB UK & Ireland, King’s College Hospital NHS Foundation Trust and Guy’s and St Thomas’ NHS Foundation Trust which provides services to the NHS.
These attacks severely impacted Synovis' day-to-day operations (e.g. processing samples) and affected almost all of its IT systems, meaning they were forced to revert to using paper and pen rather than digital means to complete many of their processes.
Before the Google Chrome data exfiltration attack, the Qilin ransomware gang primarily utilized the "double extortion" technique favoured by the majority of criminal ransomware gangs. This sees the hackers infiltrate a system, encrypt its network, then extorting the victim by threatening to release or sell the information they have encrypted unless the victim pays a large amount of money for the encryption key.
You can learn more about Sophos' research into the Qilin ransomware gang here.
