cyber security

Ransomware Group Harvests Credentials Through Google Chrome

A new wrinkle in an old attack method threatens password security for Google Chrome users. As investigated and reported by Sophos, a ransomware group called Qilin has developed a sinister tactic of stealing stored passwords from infected users before shutting down and holding an organization’s systems for ransom. The Qilin group exploited a vulnerability in an organization’s Virtual Private Network (VPN) by using stolen login credentials, which they acquired through various means, possibly through phishing attacks or malware. Lacking multifactor authentication (MFA) on the VPN further facilitated their access, enabling them to infiltrate the network without triggering alarms.

Once inside, the attackers employed scripts designed to harvest credentials saved in users’ Chrome browsers. This approach allowed them to collect sensitive information, including access details for various third-party accounts, amplifying the impact of their breach. The ability to obtain, not just organizational data, but also personal credentials, creates a significant risk to both employees and their companies, as each compromised password can cascade into additional security breaches.

An Evolving Tactic of a Ransomware Group

Ransomware attacks typically begin with an initial breach of a network, often through compromised credentials. The system’s data is then encrypted by the invader and taken hostage until their ransom demands are met. Qilin’s new exploit of credential harvesting is particularly worrying as it specifically targeted the passwords stored in Google Chrome, which holds the largest share of browser users at over 65%. This means that millions are potentially at risk. Browser users often store an astonishing average of 87 work-related and 168 personal passwords across various platforms.

This creates a potential form of “double extortion,” allowing the group to threaten other types of attacks unless receiving further payment. As ransomware incidents like this become more sophisticated, organizations must stay informed about these emerging tactics to prepare effective defenses.

The Risks of Credential Harvesting

The implications of credential harvesting are significant. Once attackers gain access to stored passwords, the potential for chaos multiplies. As mentioned, an average user could experience hundreds of breaches from a single ransomware incident due to the sheer number of stored credentials. In the context of Qilin’s operations, the attackers managed to sit and watch their victims for an alarming 18 days! This allowed them ample opportunity to capture and exploit sensitive information.

This evolution in tactics demands a proactive response from organizations. For example, if an attacker gains access to a network and steals elevated credentials, they could explore the entire domain. This potentially exposes countless other accounts and users across different systems. Coupled with the reality that many organizations are behind in using multi-factor authentication (MFA)—with only 27% of companies with fewer than 25 employees utilizing this technology—the potential damage becomes exponential.

Best Practices for Protecting Yourself and Your Organization

  1. Implement Multifactor Authentication (MFA): MFA is a powerful tool to add an additional layer of protection beyond just passwords. This is especially crucial since, again, many small businesses do not utilize MFA. Organizations can significantly mitigate risks by requiring two or more forms of verification for accessing sensitive data.
  2. Utilize Secure Password Managers: Transitioning to password manager applications that employ strong encryption protocols can help users securely store and manage their passwords. Browser-based password managers have proven insecure and should be avoided.
  3. Regular User Training on Phishing Recognition: Many ransomware attacks begin with phishing attempts. Conducting regular training sessions will empower users to recognize attempts to access their credentials and report suspicious activities.
  4. Monitor for Unusual Access Patterns: Use logging and monitoring tools to analyze user access patterns. Unusual activity can often be a sign of compromised credentials and should be investigated promptly.
  5. Conduct Security Audits and Penetration Testing: Regular assessments of your organization’s cybersecurity posture can uncover vulnerabilities. Employing ethical hackers to simulate attacks can provide insights into potential weaknesses.
  6. Create a Robust Incident Response Plan: It’s essential to have a plan in place that addresses ransomware scenarios, detailing steps for containment, eradication, and recovery.
  7. Segment Networks: Implement network segmentation to restrict lateral movement within your infrastructure if a breach occurs. This can prevent attackers from accessing critical systems after they compromise one entry point.
  8. Back Up Critical Data Regularly: Ensure that backups are maintained and stored securely to enable quick recovery in the event of a ransomware attack. Backup strategies should also be monitored to ensure that they remain effective.
  9. Maintain a Security Culture: Training should go beyond initial sessions; creating a culture of security awareness among employees helps sustain vigilance against evolving threats.
  10. Collaborate with Threat Intelligence Services: Staying informed about current attacks and trends can be invaluable. Collaborating with cybersecurity experts can provide insights into how best to defend against new tactics.

A Shared Responsibility

This emergence of credential-focused attacks highlights that everyone is at risk and should play a role in safeguarding their digital environments. Protecting sensitive information is not solely the responsibility of IT departments; it requires a collective effort from all employees within an organization.

Final Thoughts

Ultimately, the evolving landscape of cybersecurity attacks demands proactive and focused attention. Qilin ransomware and others like them are not merely targeting corporate assets—they are exploiting users’ everyday behaviors and practices. By committing your organization to security best practices you foster a culture of cybersecurity awareness. Individuals can then cultivate a safer digital environment for themselves and their colleagues.

If you’re struggling to keep up with the implementation of security practices for your team, please contact us for a consultation. With a united focus on awareness and protection, employees can contribute to the security of their organizations and protect themselves from the sophisticated tactics employed by cybercriminals.

Author

Acuity Manager

Acuity Total Solutions provides complete facility support from IT solutions to Cybersecurity, and Landscaping to Custodial. From Dirt to Data, Acuity is the total solution.