Google Chrome users were secretly collected logins and passwords.
Researchers from Sophos discovered an attack using the Qilin ransomware, during which attackers stole account data stored in the Google Chrome browser on a number of compromised devices.
The incident was identified in July 2024 and attracted the attention of experts for its unusual combination of methods - credential theft combined with a subsequent ransomware infection, which could have serious consequences.
The attack began by penetrating the target organization's network through compromised credentials to access a VPN portal that was not protected by multi-factor authentication (MFA). The attackers began further actions only 18 days after the initial hack.
After the attackers gained access to the domain controller, they made changes to the domain policy by adding two Group Policy Objects (GPOs). The first of these is a PowerShell script called "IPScanner.ps1", which is designed to collect account data stored in the Chrome browser. The second is a batch script ("logon.bat") that triggers the execution of the first script.
According to the study, this GPO remained active online for more than three days. During this time, users, unaware of what was happening, ran a script that collected their credentials every time they logged in.
The attackers stole this data and then erased traces of their activity and encrypted files on the system, leaving a ransom note in each folder. The fact of theft means that affected users now need to change their passwords on all third-party services where compromised credentials were used.
Sophos experts note that ransomware groups continue to change their methods and expand their arsenal of techniques. If criminals begin to systematically obtain credentials stored on endpoint devices, this could open a dangerous new page in the history of cybercrime.
Source
Researchers from Sophos discovered an attack using the Qilin ransomware, during which attackers stole account data stored in the Google Chrome browser on a number of compromised devices.
The incident was identified in July 2024 and attracted the attention of experts for its unusual combination of methods - credential theft combined with a subsequent ransomware infection, which could have serious consequences.
The attack began by penetrating the target organization's network through compromised credentials to access a VPN portal that was not protected by multi-factor authentication (MFA). The attackers began further actions only 18 days after the initial hack.
After the attackers gained access to the domain controller, they made changes to the domain policy by adding two Group Policy Objects (GPOs). The first of these is a PowerShell script called "IPScanner.ps1", which is designed to collect account data stored in the Chrome browser. The second is a batch script ("logon.bat") that triggers the execution of the first script.
According to the study, this GPO remained active online for more than three days. During this time, users, unaware of what was happening, ran a script that collected their credentials every time they logged in.
The attackers stole this data and then erased traces of their activity and encrypted files on the system, leaving a ransom note in each folder. The fact of theft means that affected users now need to change their passwords on all third-party services where compromised credentials were used.
Sophos experts note that ransomware groups continue to change their methods and expand their arsenal of techniques. If criminals begin to systematically obtain credentials stored on endpoint devices, this could open a dangerous new page in the history of cybercrime.
Source
