Ransomware hackers are now targeting Google Chrome credentials in a new twist to the cybercrime landscape. Qilin, a Russia-linked cybercrime group, known for causing chaos at U.K. hospitals in June, has been identified as the perpetrator behind this latest attack.
Qilin, operating a Ransomware-as-a-Service criminal operation since October 2022, has been employing a sophisticated tactic of stealing credentials stored within Google Chrome browsers. This tactic extends the reach of their attacks beyond the original target, adding a new layer of complexity to ransomware situations.
In a recent attack analyzed by researchers, Qilin operators accessed a victim's network using compromised credentials to breach a VPN portal lacking multi-factor authentication. The attackers then remained dormant for 18 days before moving laterally to compromise a domain controller and harvest credentials stored within Chrome browsers on connected machines.
With Chrome accounting for a significant share of the browser market, the attackers recognized the value of targeting these credentials. Sophos researchers estimate that an average of 87 work-related passwords and double that for personal passwords are stored per machine, making this a lucrative target for cybercriminals.
By leveraging stolen Chrome browser credentials, ransomware groups like Qilin gain broad access to applications where credentials are stored, potentially opening doors to further exploitation of high-value targets. This new approach signifies a dark turn in cybercrime tactics, highlighting the evolving threat landscape organizations face.
As ransomware groups explore new avenues to exploit vulnerabilities, securing VPNs with two-factor authentication and implementing robust security measures become crucial in mitigating such attacks. Organizations are urged to stay vigilant and enhance their cybersecurity defenses to safeguard against evolving cyber threats.
