Qilin group observed using custom tool for widespread credentials theft

The Qilin ransomware group has introduced a new tactic to its activities that involves the use of a custom script to harvest credentials stored in Google Chrome, BleepingComputer reports.

According to the Sophos X-Ops cybersecurity research team, the attack began with Qilin gaining network access through an organization's compromised VPN credentials that were lacking multi-factor authentication. The group was then dormant for 18 days, possibly conducting network reconnaissance, before moving laterally to a domain controller and using Group Policy Objects to execute a PowerShell script that collected Chrome-stored credentials from all machines in the domain. The group then exfiltrated the stolen credentials to a command and control server and deleted local copies to cover its tracks. Finally, Qilin deployed its ransomware to encrypt data across the compromised network. The extensive credential theft poses a significant risk, potentially leading to further attacks and complicating response efforts. Organizations are advised to implement MFA, restrict credential storage in browsers, and enforce least privilege and network segmentation to mitigate such threats.