Every now and again, an infamous cyber gang rises again. Qilin ransomware, the group behind the chaos that hit London hospitals this summer, has stepped up. Now, they are focusing on stealing passwords from Google Chrome. Sophos X-Ops research recently shed light on this new tactic.
Who are Qilin?
In June 2024, Qilin, infamous for their double extortion schemes, went after Synnovis. This is a government service provider for several UK hospitals. Furthermore, this attack forced five London hospitals to halt critical services.
Fast forward to July, and Sophos X-Ops uncovered another incident involving Qilin. This time, they noticed the gang doing something different—swiping credentials stored in Google Chrome from an organization’s network.
The way Qilin got in? They used compromised VPN credentials from somewhere else. Because the organization didn’t have multifactor authentication, they had free rein for 18 days before they started moving around the network.
Their malicious script would run as users logged in, and Qilin let it run for three days straight, clearly confident they wouldn’t be caught. After grabbing all the credentials they could, they wiped their tracks clean, deleted the files and logs from the domain controller and infected machines, and then left their ransom notes behind.
Why should we be vigilant?
This new move has serious implications. Researchers believe Qilin may have realized they were missing out by only targeting network assets, so they started aiming at the credentials stored on individual users’ Chrome browsers, which dominate the browser market with over 65% of users.
Think about it—if an attack like this succeeds, hackers get their hands on every password stored in Chrome. With the average user juggling 87 work-related passwords and twice as many personal ones, that’s a nightmare scenario for anyone in charge of network security.
Conclusion
Sophos’ report points out that if these attacks work, it’s not just a matter of changing Active Directory passwords. Defenders would theoretically need to ask users to update passwords for potentially hundreds of other accounts saved in Chrome.
Overall, researchers are worried this could mark the beginning of a new, darker era in cybercrime. If Qilin—or any other hacker group—starts regularly mining for credentials stored on endpoints, it could give them easy access to future targets or a treasure trove of information on high-value individuals to exploit down the road. Scary stuff.
We hope you’ve liked this blog and that you’ll stick around to see our future releases. We cover everything from recent IT News to Knowledgebase articles. Thanks for reading!