A recent investigation of a Qilin ransomware breach reveals a suspicious activity that lead to massive theft of credentials stored in Google Chrome browsers on a subset of the network's endpoints. Attackers used this credential harvesting technique creating significant impact far beyond the original victim's organizations. This is an unusual technique that could be a bonus multiplier for the chaos already inherent in ransomware situations.
Introduction to Qilin
The Qilin ransomware group has been working for just over two years. It came front in the news in June 2024 due to an attack on Synnovis, a governmental service provider to various UK healthcare providers and hospitals. In general, Qilin attacks have often involved "double extortion"- stealing the victim's data, encrypting their systems and then threatening to reveal or sell the stolen data for not paying ransom in exchange of the encryption key.
Researchers have observed the activity in July 2024, which was spotted on a single domain controller within the target's Active Directory domain. The other domain controllers in that AD domain were also infected by affected by Qilin differently.
Beginning of Credential Harvesting
In the attack scenario, Qilin not only conducted extortion attack but were also successful in deploying a credentials-harvesting scheme. The group targeted Google Chrome browsers, that holds over 65% of the browser market.
The attacker obtained initial access to the environment through compromised credentials. As soon as the group reaches a target domain controller, it edits the default domain policy for introduction of a logon-based Group Policy Object (GPO) consisting of two items.
The first one is a PowerShell script, also named as IPScanner.ps1, written to a temporary directory within the System Volume (SYSVOL) share the shared New Technology File System (NTFS) directory located on each domain controller inside an Active Directory domain on the specific domain controller involved. It has a 19-line script that attempted to harvest credential data that stored within the Chrome browser.
The second item is a batch script, also named as logon.bat, which contained the commands to execute the first script. The combination of both resulted in harvesting credentials stored in Chrome browsers on machines connected to the network.
On the Endpoints
Whenever a logon occurred on an endpoint, the logon.bat would launch the IPScanner.ps1 script, which then created two files- a SQLite database file named LD and a text file named temp.log.
These files are written back to a newly created directory on the domain's SYSVOL share and named after the device's hostname on which they were executed. Thus, all the credentials of device were dropped in the LD database.
The attackers were very sure about not getting detected and left this GPO active on the network for over three days. This provided ample opportunity for users to log on to their devices and unaware to them, trigger the credential-harvesting script on their systems.
Once the files containing the harvested credentials were stolen and exfiltrated, the attacker deleted all the files and cleared the event logs for both domain controller and the infected devices. Then after, they proceeded to encrypt files and drop the ransom note. This ransomware leaves an imprint of the note in every directory on the device on which it runs.
The Qilin group used GPO again as the mechanism for affecting the network by creating a schedules task to run a batch file named run.bat, which downloaded and executed the ransomware.
Once the attackers decides to mine for endpoint-stored credentials, that could provide a foot in the door at a subsequent target or fetch information about high-value targets to be exploited by other means, marks the opening of a dark new chapter in the ongoing story of cybercrime.
Effect of Qilin
In this attack, the IPScanner.ps1 script targeted Chrome browsers, that could return a bountiful password harvest. The success of each attempt depends on exactly what credentials each user stores in the browser. This kind of successful compromise would mean that not only defenders shall change all Active Directory passwords, but they should also request that end users change their passwords for dozens, potentially hundreds, of third-party sites for which the user has saved their credential combinations on the browser.
If you look into the end-user experience scenario, almost every internet user has received at least one "your information has been breaches" notice from a site at this point. The site may probably has lost control of their users' data, whereas in this situation, it is reverse- one user, dozens or hundreds of separate breaches.
An interesting point in this specific attack is that the other domain controllers in the same Active Directory domain were encrypted, but the domain controller where this specific GPO was initially configured was left unencrypted by the ransomware. It could possibly be a misfire or an oversight or the attacker's A/B testing.
Recommendations for Mitigation
The following measures can be undertaken to mitigate this type of browser credential-harvesting attack:
- Do not use a browser-based password manager, which has been proven to be insecure
- Rely on password manager applications that employ industry best practices for software development
- Implement multifactor authentication (MFA), which would be an effective preventative measure in this situation
- The Powershell.01 query identifies suspicious PowerShell commends executed in the course of the attack. The query is freely available from Github, along with many others.
Conclusion
.png)
Comments
Post a Comment