{"id":25102,"date":"2024-08-22T03:20:54","date_gmt":"2024-08-22T11:20:54","guid":{"rendered":"http:\/\/www.palada.net\/index.php\/2024\/08\/22\/news-18832\/"},"modified":"2024-08-22T03:20:54","modified_gmt":"2024-08-22T11:20:54","slug":"news-18832","status":"publish","type":"post","link":"http:\/\/www.palada.net\/index.php\/2024\/08\/22\/news-18832\/","title":{"rendered":"Qilin ransomware caught stealing credentials stored in Google Chrome"},"content":{"rendered":"

Credit to Author: Angela Gunn| Date: Thu, 22 Aug 2024 10:45:48 +0000<\/strong><\/p>\n

\n

During a recent investigation of a Qilin ransomware breach, the Sophos X-Ops team identified attacker activity leading to en masse theft of credentials stored in Google Chrome browsers on a subset of the network\u2019s endpoints \u2013 a credential-harvesting technique with potential implications far beyond the original victim\u2019s organization. This is an unusual tactic, and one that could be a bonus multiplier for the chaos already inherent in ransomware situations.<\/p>\n

What is Qilin?<\/h3>\n

The Qilin ransomware group has been in operation for just over two years. It was in the news in June 2024 due to an attack on Synnovis<\/a>, a governmental service provider to various UK healthcare providers and hospitals. Prior to the activity described in this post, Qilin attacks have often involved \u201cdouble extortion\u201d \u2013 that is, stealing the victim\u2019s data, encrypting their systems, and then threatening to reveal or sell the stolen data if the victim won’t pay for the encryption key, a tactic we\u2019ve recently discussed in our \u201cTurning the Screws\u201d<\/a> research<\/p>\n

The Sophos IR team observed the activity described in this post in July 2024. To provide some context, this activity was spotted on a single domain controller within the target\u2019s Active Directory domain; other domain controllers in that AD domain were infected but affected differently by Qilin.<\/p>\n

Opening maneuvers<\/h3>\n

The attacker obtained initial access to the environment via compromised credentials. Unfortunately, this method of initial access is not new for Qilin (or other ransomware gangs for that matter). Our investigation indicated that the VPN portal lacked multifactor authentication (MFA) protection.<\/p>\n

The attacker\u2019s dwell time between initial access to the network and further movement was eighteen days, which may or may not indicate that an Initial Access Broker (IAB) made the actual incursion. In any case, eighteen days after initial access occurred, attacker activity on the system increased, with artifacts showing lateral movement to a domain controller using compromised credentials.<\/p>\n

Once the attacker reached the domain controller in question, they edited the default domain policy to introduce a logon-based Group Policy Object (GPO) containing two items. The first, a PowerShell script named IPScanner.ps1, was written to a temporary directory within the SYSVOL (SYStem VOLume) share (the shared NTFS directory located on each domain controller inside an Active Directory domain) on the specific domain controller involved. It contained a 19-line script that attempted to harvest credential data stored within the Chrome browser.<\/p>\n

The second item, a batch script named logon.bat, contained the commands to execute the first script. This combination resulted in harvesting of credentials saved in Chrome browsers on machines connected to the network. Since these two scripts were in a logon GPO, they would execute on each client machine as it logged in.<\/p>\n

On the endpoints<\/h3>\n

Whenever a logon occurred on an endpoint, the logon.bat would launch the IPScanner.ps1 script, which in turn created two files \u2013 a SQLite database file named LD and a text file named temp.log, as seen in Figure 1.<\/p>\n

\"A<\/a><\/p>\n

Figure 1: We call this demo device Hemlock because it\u2019s poisonous: The two files created by the startup script on an infected machine<\/em><\/p>\n

These files were written back to a newly created directory on the domain\u2019s SYSVOL share and named after the hostname of the device(s) on which they were executed (in our example, Hemlock)<\/p>\n

The LD database file contains the structure shown in Figure 2.<\/p>\n

\"A<\/a><\/p>\n

Figure 2: Inside LD, the SQLite database file dropped into SYSVOL<\/em><\/p>\n

In a display of confidence that they would not be caught or lose their access to the network, the attacker left this GPO active on the network for over three days. This provided ample opportunity for users to log on to their devices and, unbeknownst to them, trigger the credential-harvesting script on their systems. Again, since this was all done using a logon GPO, each user would experience this credential-scarfing each time they logged in.<\/p>\n

To make it more difficult to assess the extent of the compromise, once the files containing the harvested credentials were stolen and exfiltrated, the attacker deleted all the files and cleared the event logs for both the domain controller and the infected machines. After deleting the evidence, they proceeded to encrypt files and drop the ransom note, as shown in Figure 3. This ransomware leaves a copy of the note in every directory on the device on which it runs.<\/p>\n

\"The<\/a><\/p>\n

Figure 3: A Qilin ransom note<\/em><\/p>\n

The Qilin group used GPO again as the mechanism for affecting the network by having it create a scheduled task to run a batch file named run.bat, which downloaded and executed the ransomware.<\/p>\n

Impact<\/h3>\n

In this attack, the IPScanner.ps1 script targeted Chrome browsers \u2013 statistically the choice most likely to return a bountiful password harvest, since Chrome currently holds<\/a> just over 65 percent of the browser market. The success of each attempt would depend on exactly what credentials each user was storing in the browser. (As for how many passwords might be acquired from each infected machine, a recent survey<\/a> indicates that the average user has 87 work-related passwords, and around twice as many personal passwords.)<\/p>\n

A successful compromise of this sort would mean that not only must defenders change all Active Directory passwords; they should also (in theory) request that end users change their passwords for dozens, potentially hundreds, of third-party sites for which the users have saved their username-password combinations in the Chrome browser. The defenders of course would have no way of making users do that. As for the end-user experience, though virtually every internet user at this point has received at least one \u201cyour information has been breached\u201d notice from a site that has lost control of their users\u2019 data, in this situation it\u2019s reversed \u2013 one user, dozens or hundreds of separate breaches.<\/p>\n

It\u2019s perhaps interesting that, in this specific attack, other domain controllers in the same Active Directory domain were encrypted, but the domain controller where this specific GPO was originally configured was left unencrypted by the ransomware. What this might have been \u2013 a misfire, an oversight, attacker A\/B testing \u2013 is beyond the scope of our investigation (and this post).<\/p>\n

Conclusion<\/h3>\n

Predictably, ransomware groups continue to change tactics and expand their repertoire of techniques. The Qilin ransomware group may have decided that, by merely targeting the network assets of their target organizations, they were missing out.<\/p>\n

If they, or other attackers, have decided to also mine for endpoint-stored credentials \u2013 which could provide a foot in the door at a subsequent target, or troves of information about high-value targets to be exploited by other means \u2013 a dark new chapter may have opened in the ongoing story of cybercrime.<\/p>\n

Acknowledgements<\/h3>\n

Anand Ajjan of SophosLabs, as well as Ollie Jones and Alexander Giles from the Incident Response team, contributed to this analysis.<\/p>\n

Response and remediation<\/h3>\n

Organizations and individuals should rely on password managers applications that employ industry best practices for software development, and which are regularly tested by an independent third party. The use of a browser-based password manager has been proven to be insecure time and again, with this article being the most recent proof.<\/p>\n

Multifactor authentication would have been an effective preventative measure in this situation, as we\u2019ve said elsewhere<\/a>. Though use of MFA continues to rise, a 2024 Lastpass study indicates that though MFA adoption at companies with over 10,000 employees is a not-terrible 87%, that adoption level drops precipitously \u2013 from 78% for companies with 1,001-1000 employees all the way down to a 27% adoption rate for businesses with 25 employees or less. \u00a0Speaking bluntly, businesses must do better, for their own safety \u2013 and in this case, the safety of other companies as well.<\/p>\n

Our own Powershell.01 query was instrumental in identifying suspicious PowerShell commends executed in the course of the attack. That query is freely available from our Github<\/a>, along with many others.<\/p>\n

Sophos detects Qilin ransomware as Troj\/Qilin-B<\/strong> and with behavioral detections such as Impact_6a<\/strong> & Lateral_8a<\/strong>. The script described above is detected as Troj\/Ransom-HDV<\/strong>.<\/p>\n<\/p><\/div>\n

http:\/\/feeds.feedburner.com\/sophos\/dgdY<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"

<\/p>\n

Credit to Author: Angela Gunn| Date: Thu, 22 Aug 2024 10:45:48 +0000<\/strong><\/p>\n

Familiar ransomware develops an appetite for passwords to third-party sites<\/p>\n","protected":false},"author":4,"featured_media":0,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"colormag_page_container_layout":"default_layout","colormag_page_sidebar_layout":"default_layout","footnotes":""},"categories":[10378,10377],"tags":[19253,129,12657,5897,31816,3765,24552,16771],"class_list":["post-25102","post","type-post","status-publish","format-standard","hentry","category-security","category-sophos","tag-credentials","tag-featured","tag-incident-response","tag-privacy","tag-qilin","tag-ransomware","tag-security-operations","tag-threat-research"],"_links":{"self":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts\/25102","targetHints":{"allow":["GET"]}}],"collection":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/users\/4"}],"replies":[{"embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/comments?post=25102"}],"version-history":[{"count":0,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts\/25102\/revisions"}],"wp:attachment":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/media?parent=25102"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/categories?post=25102"},{"taxonomy":"post_tag","embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/tags?post=25102"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}