Warning of new malware stealing information from Google Chrome users

Recently, Sophos security experts discovered that the Qilin ransomware is exploiting a serious security vulnerability in the Google Chrome browser to directly steal users' login credentials, posing a major threat to data security. This allows hackers to easily infiltrate other systems and cause serious damage.

In a large-scale ransomware attack, the Qilin cybercriminal gang broke into the system of Synnovis, an outsourced laboratory services provider for the public health system (National Health Service: NHS) in London (UK) on June 3, 2024, stealing a large amount of sensitive data on patient records, including test results, medical history and personal information.

They threatened to make all this information public unless they received a $50 million ransom. After negotiations failed, the Qilin gang publicly revealed all the stolen data.

The Qilin ransomware gang is notorious for its vicious “double extortion” tactic, which involves not only encrypting victims’ data but also stealing and threatening to publicly disclose sensitive information, forcing victims to pay a huge ransom. Cybersecurity firm Sophos calls this tactic “Turning the Screws,” emphasizing the increasing pressure on victims until they cave in.

This discovery has exposed a new and extremely dangerous tactic of Qilin, which is to directly attack the login information of millions of Google Chrome users. With more than 65% market share, Google Chrome has become a lucrative target for attackers, opening a backdoor for them to penetrate every corner of the victim's digital life, from bank accounts to emails, even important business systems.

The successful penetration of the target's domain controller by the Qilin ransomware group in July 2024 exposed a serious vulnerability in the cybersecurity system of many organizations. The domain controller, the heart of the network, when attacked will make the entire system vulnerable, causing unpredictable consequences such as data loss, operational disruption and loss of reputation.

A deeper investigation into the Qilin group’s activities revealed a sophisticated attack scenario in which the attackers infiltrated the target system by purchasing virtual private network (VPN) credentials from a broker on the dark web. They then patiently “hibernated” in the system for 18 days, silently observing, mapping the network and selecting the most accurate attack targets.

The campaign was made more sophisticated by using a specially designed malicious tool to steal login credentials from Google Chrome. After successfully penetrating, the ransomware group quickly spread throughout the system, turning the victim's entire network into a "factory" that mass-produced copies of itself.

When such an incident occurs, security experts are faced with not only changing all passwords but also convincing millions of users to change passwords for countless different online accounts. This is a difficult problem, because changing passwords for each account is a time-consuming and cumbersome process, and many users will neglect or forget to do it.

Since its emergence in October 2022, the Qilin ransomware has caused serious damage to a number of organizations globally. With its ability to spread rapidly and encrypt data effectively, Qilin has forced many businesses to shut down, causing huge financial losses and leaking sensitive customer information.

The emergence of the Qilin ransomware group has raised the alarm about the increasingly serious cybersecurity situation. To deal with the ever-evolving threats, organizations need to be more proactive in protecting their systems. Implementing multi-factor authentication, using strong endpoint security solutions and regularly updating security are urgent measures to prevent ransomware attacks.