Qilin Ransomware Adopts Aggressive Credential Harvesting

Overview

The Qilin ransomware group, also known as Agenda, has been active since 2022, progressively evolving its tactics. The group recently escalated its operations by targeting credentials stored in Google Chrome browsers, significantly heightening the risk profile for affected organizations. This tactic, coupled with their established methods of double extortion, makes Qilin a severe threat to both organizational data and credentials.

Recent Developments

• Credential Harvesting: The Qilin group has started using a custom script to harvest credentials stored in Google Chrome browsers. This attack begins with compromised VPN credentials (often lacking multi-factor authentication), which Qilin uses to gain initial network access. They then deploy Group Policy Objects (GPOs) to distribute the malicious scripts across all domain-connected machines, stealing credentials on a massive scale before launching their ransomware payloads.
• Persistent Threat: In recent incidents, Qilin remained undetected for extended periods, conducting reconnaissance before executing their attacks. This indicates a high level of sophistication and patience, allowing them to maximize the impact of their operations. For instance, during a notable attack in 2024, the group left their credential-harvesting GPO active for three days, ensuring widespread compromise before initiating data encryption.

Indicators of Compromise (IOCs)

• File Indicators: Look for unusual batch scripts, such as logon.bat, or PowerShell scripts like IPScanner.ps1, which are used to steal credentials. Other signs include the presence of suspicious SQLite database files or logs like LD and temp.log.
• Network Indicators: Monitor for abnormal lateral movement, particularly involving domain controllers, and any unusual network traffic associated with the exfiltration of credentials to remote servers.
• Credential Access: Be alert for unauthorized access attempts using VPN credentials and any anomalies in user login behavior across the network.

Mitigation Strategies

1. Enforce Multi-Factor Authentication (MFA): Ensure that MFA is implemented across all remote access systems to prevent unauthorized entry through compromised credentials.
2. Regular Auditing and Monitoring: Conduct continuous network monitoring and auditing of GPO configurations to detect and mitigate unauthorized changes promptly.
3. Restrict Credential Storage: Advise against storing sensitive credentials in web browsers, particularly in enterprise environments. Use dedicated password management solutions that provide better security controls.
4. Patch Management: Regularly update and patch all systems to close known vulnerabilities, especially those that can be exploited for credential theft or lateral movement.
5. Network Segmentation: Implement strict network segmentation to limit the spread of an attack and reduce the attack surface within your environment.

Conclusion

The Qilin ransomware group exemplifies the ongoing evolution of ransomware tactics, underscoring the necessity for heightened vigilance and advanced security measures within organizations. Their recent shift to credential theft via browser exploitation significantly amplifies the potential damage, not just by compromising network security but by endangering the broader digital ecosystem. This development highlights the critical need for implementing multi-factor authentication, restricting browser-based credential storage, and ensuring comprehensive monitoring and response strategies. As ransomware groups like Qilin continue to innovate, organizations must proactively enhance their cybersecurity posture to mitigate these advanced threats.

Sources

1. Sophos News: "Qilin ransomware caught stealing credentials stored in Google Chrome"
2. Check Point Research: "26th August – Threat Intelligence Report"
3. Computer Weekly: "New Qilin tactics a ‘bonus multiplier’ for ransomware chaos"
4. SC Media: "Qilin group observed using custom tool for widespread credentials theft"