Sensitive data stored in Google Chrome was successfully exfiltrated using the Qilin ransomware thanks to compromised VPN credentials

This data theft was discovered by security firm Sophos during an investigation into a recent Qilin ransomware-related data breach

In this cyber attack, a large amount of credentials were stolen from the Google Chrome browser, showing that even the best VPN cannot keep you safe if you do not follow good cyber security practices

Hackers were able to access the environment using the VPN portal's compromised login credentials The VPN portal did not have multi-factor authentication (MFA) enabled

After accessing the environment, the hacker waited 18 days before increasing his activity on the system and moving laterally on the system using the compromised credentials to access the domain controller

Upon accessing this domain controller, the cyber attacker introduced malicious code, including a specific script that edits the default domain policy and harvests credential data stored within Google Chrome A second script was then introduced that prompted the domain controller to execute the first script, allowing it to harvest all credentials stored in the Google Chrome browser on machines connected to the network These scripts could be run on each client machine logged on to the network

This likely resulted in a large number of passwords being stolen And especially since the average person has 225 passwords for both business and private logins, this means that the data compromised per individual Chrome browser could lead to hundreds of individual data breaches If these passwords are repeated with logins that are not stored in Google Chrome, hackers could gain access to these accounts as well

This cyber attack really highlights the importance of updating passwords regularly, using a password manager to allow the creation of unique login credentials for each account, and enabling MFA While it cannot be determined that the updated credentials and MFA completely deterred hackers, they may have at least slowed them down and alerted the owner of the credentials that someone was trying to access their account, allowing them to intervene

Qilin ransomware refers to malicious software deployed by the Qilin ransomware group

The group itself has been active for about two years, but in June of this year, SYNLAB UK & Ireland, King's College Hospital NHS Foundation Trust, and Guy's and St Thomas' NHS, which serves the NHS Foundation Trust, has really made a name for itself thanks to the attacks on Synovis, a scientific and medical partnership between Guy's and St Thomas' NHS Foundation Trust

These attacks severely affected Synovis' day-to-day operations (eg, processing samples) and affected almost all of its IT systems

Prior to the Google Chrome data breach attack, the Qilin ransomware gang primarily used the “double extortion” method favored by most criminal ransomware gangs This involves hackers breaking into a system, encrypting the network, and then extorting the victim by threatening to release or sell the encrypted information unless the victim pays a large sum of money for the encryption key

For more information on Sophos' research into the Qilin ransomware gang, see