Qilin Ransomware Adopts Aggressive Credential Harvesting - October 2024 Update

Threat Group: - Qilin (formerly known as "Agenda")
Threat Type: - Ransomware-as-a-Service (RaaS)
Exploited Vulnerabilities: - Zero-day vulnerabilities, VPN access without multi-factor authentication (MFA), spear-phishing, and remote monitoring tools
Malware Used: - Qilin Ransomware, with variants developed in Golang and Rust
Threat Score: - High (8.8/10) — Due to its sophisticated tactics and significant impact on critical healthcare infrastructure
Last Threat Observation: - October 2024 (Linked to attacks on London hospitals and other healthcare entities)

Overview

The Qilin ransomware group, also known as Agenda, has been active since 2022, progressively evolving its tactics. Recently, the group has escalated its operations by targeting credentials stored in Google Chrome browsers, significantly heightening the risk profile for affected organizations. This tactic, combined with their established methods of double extortion, makes Qilin a severe threat to both organizational data and credentials​(

Recent Developments

• Credential Harvesting: The Qilin group has started using a custom script to harvest credentials stored in Google Chrome browsers. This attack begins with compromised VPN credentials (often lacking multi-factor authentication), which Qilin uses to gain initial network access. They then deploy Group Policy Objects (GPOs) to distribute the malicious scripts across all domain-connected machines, stealing credentials on a massive scale before launching their ransomware payloads​.
• Persistent Threat: In recent incidents, Qilin remained undetected for extended periods, conducting reconnaissance before executing their attacks. During a notable attack in 2024, the group maintained their credential-harvesting GPO active for up to 18 days, ensuring widespread compromise before initiating data encryption. This indicates a high level of sophistication and patience, allowing them to maximize the impact of their operations​.

Indicators of Compromise (IOCs)

• File Indicators:
  • Batch Scripts: Look for unusual batch scripts like logon.bat and PowerShell scripts like IPScanner.ps1, which are used to steal credentials.
  • Log Files: Presence of suspicious SQLite database files or log files named LD or temp.log located in system directories.
• Network Indicators:
  • Monitor for unusual lateral movements, especially to domain controllers.
  • Abnormal network traffic indicating credential exfiltration to remote servers.
• Credential Access:
  • Unauthorized access attempts using compromised VPN credentials.
  • Anomalies in user login patterns or unauthorized access attempts to high-privilege accounts.

Mitigation Strategies

• Enforce Multi-Factor Authentication (MFA): Implement MFA across all remote access systems to reduce the risk of unauthorized access through compromised credentials.
• Regular Auditing and Monitoring: Continuously audit GPO configurations and monitor network activity to quickly identify unauthorized changes and lateral movement.
• Restrict Credential Storage: Discourage storing sensitive credentials in web browsers. Instead, use secure password management solutions.
• Patch Management: Regularly update all software to patch known vulnerabilities, reducing the chances of exploitation for credential theft.
• Network Segmentation: Implement strict network segmentation to limit the spread of ransomware and other malicious activities within your environment.

Conclusion

The Qilin ransomware group exemplifies the ongoing evolution of ransomware tactics, with a recent focus on credential theft via Chrome browser exploitation. Their attacks are increasingly sophisticated, with a focus on healthcare and enterprise sectors, highlighting the need for organizations to strengthen their defenses. Adopting MFA, securing credentials, and enhancing network monitoring are crucial steps to mitigate this evolving threat​.

Sources

• BleepingComputer: "Qilin ransomware now steals credentials from Chrome browsers" Link
• The Register: "Qilin has ‘no regrets’ over the healthcare crisis it caused" Link
• Dark Reading: "Qilin Ransomware Operation Outfits Affiliates With Sleek, Turnkey Cyberattacks" Link
• Security Affairs: "Qilin ransomware attack on Synnovis impacted over 900,000 patients" Link