During a recent investigation into the Qilin ransomware breach, Sophos X-Ops team detected attacker activity that led to the wholesale theft of credentials stored in Google Chrome browsers on a subset of compromised endpoints – a credential-harvesting tactic with far-reaching implications beyond the immediate victim’s organization? While that’s an unconventional strategy, its potential to amplify the turmoil surrounding ransomware incidents cannot be dismissed as a significant factor.
What’s Qilin?
The Qilin ransomware group has been operational for just over two years. By the end of June 2024, it is anticipated that certain attributes will be assigned to, a government-backed entity serving multiple UK healthcare providers and hospitals as its customers. Prior to the exercise described on this post, Qilin attacks had primarily involved “double extortion” – namely, stealing victims’ data, encrypting their files, and then threatening to disclose or sell the stolen information unless the victim paid for the encryption key, a tactic we recently analyzed in our research.
In July 2024, the Sophos Incident Response (IR) team detected an exercise posted online. On a solitary area controller within the energetic listing area of the goal, an unusual phenomenon was observed; while other area controllers in this AD area had been similarly impacted by Qilin, each exhibited distinct contamination patterns.
Opening maneuvers
The attacker initially gained access to the environment through compromised login credentials. Unfortunately, this approach to preliminary infiltration by Qilin (and other ransomware groups alike) has lost its novelty. Our inquiry revealed a critical vulnerability in the VPN portal, specifically the absence of robust multifactor authentication safeguards.
The attacker’s prolonged dwell time of 18 days prior to subsequent movement raises uncertainty regarding whether a Initial Entry Broker (IAB) initiated the breach. Regardless of circumstances, 18 days following initial intrusion, the attacker’s activities escalated, manifesting as lateral movement to a site controller via compromised credentials, with observable artifacts indicating their progress.
Upon reaching the area controller, the attacker modified the default area coverage by creating a logon-based Group Policy Object (GPO) comprising two distinct objects.
The primary PowerShell script, IPScanner.ps1, was written to a temporary listing within the SYSVOL (System Volume) share, which is a shared NTFS directory located on every domain controller in an Active Directory domain, on the specific domain controller involved. The script attempted to extract stored credentials from a user’s Google Chrome browser, comprised of a 19-line codebase.
The second merchandise, a batch script titled logon.bat, housed the commands necessary to trigger the execution of the primary script. The unsolicited mixing of browser credentials occurred during harvesting, affecting machines connected to the community via Chrome browsers. Given that these two scripts have resided within a login Group Policy Object (GPO), they would automatically run on each shopper device whenever users log in, as the GPO would be applied at login time itself.
On the endpoints
Each time an endpoint logged on, the logon.bat file triggered the execution of the IPScanner.ps1 script, resulting in the creation of two files: a SQLite database file named LD and a text file called temp.log, as depicted in Figure 1.
The system logs have been rewritten to a new folder on the local SYSVOL directory, uniquely identified by the hostname of the machine where it was generated (specifically, “Hemlock”).
The LD database file consists of the construction illustrated in Figure 2.
With brazen impunity, the perpetrator deliberately maintained their foothold within the community for a staggering 72 hours. This supplied abundant alternatives for customers to browse to their devices, unwittingly triggering a credential-harvesting script on their software. Since the implementation relied on a login Group Policy Object (GPO), each user would consistently encounter this credential-stripping upon every logon attempt.
In an effort to conceal the scope of the breach, the attacker swiftly erased all compromised credential records and purged log entries from both the affected controllers and infected devices, rendering forensic analysis more challenging. After deleting the proof, they moved on to encrypting the records and delivering the ransom note, as depicted in Figure 3. The malware, a type of ransomware, creates a duplicate copy of every affected file’s name on the infected system.
The Qilin Group leveraged GPO once more to disseminate malware through a community-affecting tactic: scheduling a batch file named run.bat, which downloaded and executed the ransomware in a batch process.
Impression
The IP Scanner PowerShell script targeted Chrome browsers, which is likely to yield a rich password harvest given their dominance in the market share, exceeding 65 percent at present. The success of each attempt depended on the specific credentials stored in the browser by each user. According to recent findings, an average user is likely to have around 87 work-related passwords on their compromised device, accompanied by roughly double that number of personal login credentials.
A profitable compromise would likely entail not only requiring defenders to update all Energetic Listing passwords, but also requesting that end-users modify their credentials for numerous third-party websites where they’ve stored their username-password combinations in the Chrome browser, a potentially Herculean task? The defenders lacked a clear approach to engaging customers and promoting their services. Although most end-users have experienced a “your data has been breached” notification after a website mishandled customer information, the situation is reversed here – one user facing dozens or hundreds of separate breaches.
Notably, during this specific attack, various area controllers within the same Energetic Directory area were successfully encrypted; however, the area controller where this particular GPO was originally configured remained unencrypted, seemingly overlooked by the ransomware. What this potentially requires – a misfire, an oversight, or A/B testing by an attacker – lies beyond the purview of our inquiry and analysis.
Conclusion
As the threat landscape evolves, ransomware operators consistently adapt and diversify their tactics. The Qilin ransomware group likely realized that, by focusing solely on their target organizations’ community assets, they had been missing a significant opportunity.
If attackers successfully breach an endpoint and exploit stored credentials, they may gain a foothold for future attacks on other targets, potentially harvesting valuable intelligence that can be leveraged through various means, thereby opening a dark and ominous new chapter in the ongoing narrative of cybercrime.
Acknowledgements
SophosLabs’ Anand Ajjan, along with Ollie Jones and Alexander Giles from the Incident Response team, collaborated on this assessment.
Response and remediation
Organizations and individuals should rely on password manager applications that adhere to industry best practices in software development and are frequently audited by an independent third-party entity. Repeated instances have confirmed that using a browser-based password manager is inherently insecure, and this latest development serves as further evidence.
Implementing multifactor authentication would have been a crucial proactive step in preventing these circumstances from unfolding. Although multi-factor authentication (MFA) usage is on the rise, a 2024 Lastpass study reveals that while MFA adoption rates are respectable at large corporations with over 10,000 employees, standing at 87%, this figure plummets sharply as company size decreases – dropping to 78% for businesses with 1,001-1,000 staff and further declining to just 27% for companies with 25 or fewer employees. Companies must proactively elevate cybersecurity measures to safeguard their own operations and those of other businesses in an interconnected digital landscape.
Our team’s expertise with PowerShell proved crucial in identifying and investigating malicious commands executed during the attack. That’s freely accessible, along with numerous others.
Sophos detects Qilin ransomware as and with behavioral detections resembling & . Malware
