Cybersecurity firm Sophos X-Ops has exposed a significant ransomware breach by the Qilin group, which has introduced a new and highly concerning technique of stealing credentials stored in Google Chrome browsers on compromised systems. Qilin, active since at least 2022, is already notorious for its “double extortion” strategy. This method involves encrypting the victim’s data while simultaneously threatening to leak or sell the data unless a ransom is paid.
The discovery of Qilin’s latest tactic underscores the evolution of ransomware attacks into more sophisticated and damaging operations.
The breach came to light following an attack on Synnovis, a UK governmental healthcare service provider.
The attack began with the exploitation of compromised credentials to access the organization’s VPN portal, which lacked multi-factor authentication (MFA), allowing the attackers initial access. Once inside, the attackers spent 18 days conducting surveillance before moving laterally to a domain controller.
Here, they modified the Group Policy Objects (GPO) to implement a malicious PowerShell script named `IPScanner.ps1`. This script was designed to harvest login credentials stored in Google Chrome browsers and was automatically executed every time users logged into their devices.
The stolen credentials were stored in the SYSVOL share, labe
[…]
Content was cut in order to protect the source.Please visit the source for the rest of the article.
[…]
Content was cut in order to protect the source.Please visit the source for the rest of the article.
This article has been indexed from CySecurity News – Latest Information Security and Hacking Incidents
Read the original article: