eSentire's Threat Response Unit (TRU) compiles the following weekly intelligence overview, providing cybersecurity leaders with expert analysis and insights on the most important events of the past week along with important security tips.
Recent Threat Intelligence Advisories
Noteworthy News
Qilin Ransomware Steals Credentials Stored in Chrome
Bottom Line: The Qilin ransomware group now employes the unusual tactic of stealing user credentials from the Chrome browser, prior to ransomware deployment. These credentials may be used in the future for re-entry or to target users’ personal accounts.
On August 22nd, security researchers from Sophos released a report on the Qilin ransomware group; specifically, the group’s adoption of a tactic for stealing credentials from victims’ web browsers. Qilin, also known as Agenda, is a ransomware variant that has been in active use since at least July 2022. The ransomware is written in the Golang programming language and observed attacks commonly involve double extortion, where data is exfiltrated prior to ransomware deployment.
In recently reported attacks, the group gained access to victim organizations by leveraging compromised credentials to infiltrate Active Directory (AD) domain controllers. It is unclear if these credentials were stolen by the same actors or purchased via darkweb marketplaces. Once access is achieved, the threat actors modified Group Policy Objects (GPOs) to deploy a PowerShell script designed to extract credentials stored in Chrome. The script was executed on each endpoint during user logon, harvesting passwords and exfiltrating them before deleting evidence. It is capable of extracting credentials from Chrome by decrypting SQLite database entries. Credentials are sent to an external server prior to ransomware execution. In one recent case, attackers maintained persistence in the victim network for 18-days prior to the deployment of ransomware.
eSentire research shows the actors behind Qilin are highly active. The group has posted ten victim organizations to their leak site in the past month. Attacks appear to be opportunistic and effect a range of industries including non-profit, construction, education, and manufacturing. The eSentire product suite includes a variety of detections to identify ransomware and ransomware precursor activity.
eSentire Threat Intelligence Analysis:
The addition of the theft of credentials from victim Chrome browsers is a notable change for Qilin ransomware operations. Stolen credentials are likely employed for lateral movement, sold via darkweb marketplaces, or used in future campaigns. The value of these credentials may be limited, as their theft is followed by ransomware deployment, and resetting credentials is a standard part of ransomware remediation. In cases where ransomware deployment fails, it is possible that credential theft is performed to add another monetization option for the attack. There is also the potential that impacted users stored non-work passwords on impacted devices; these credentials would not be reset as they are for personal accounts. Users are strongly encouraged to avoid using corporate devices for personal use, as it increases the risk posed to both organizations and individuals.
Another notable aspect of recent attacks is the 18-day dwell time. This space between initial access and ransomware deployment is unusual, as it gives defenders more time to identify and prevent the attack. The dwell time may indicate that an Initial Access Broker (IAB) was responsible for the compromise and sold their access to Qilin threat actors. The technical details to confirm or deny this theory are currently unavailable.
This evolution in Qilin's tactics underscores the increasing sophistication and adaptability of ransomware groups. The eSentire Threat Intelligence team is actively tracking this topic for additional details and detection opportunities.
Update: National Public Data Confirms Breach
Bottom Line: National Public Data has released a statement confirming a breach of their records exposing millions of Americans personal data. Due to the scope of this breach, it is advisable for individuals to assume that they are impacted and to proactively safeguard themselves as cybercriminals could exploit their data for nefarious purposes.
On August 12th, National Public Data (NPD) released a statement regarding a security incident which exposed data of millions of Americans. National Public Data is a company that compiles personal information from public sources for background checks and other uses.
One day before NPD confirmed the security incident, news broke of a massive data leak involving 2.7 billion records exposed on a hacking forum. The leak revealed sensitive personal information, including names, Social Security Numbers (SSNs), and addresses.
Earlier this year, in April, a threat actor known as USDoD was claiming to be selling 2.9 billion records containing personal information from individuals in the U.S., UK, and Canada which was allegedly stolen from NPD. The threat actors were attempting to sell the data for $3.5 million USD.
Since the initial listing, various threat actors have released partial copies of the data; on August 6th, a threat actor known as "Fenice" posted the most complete version of stolen NPD data for free on the Breached hacking forum. They stated in a post that the data breach was conducted by another threat actor named "SXUL" instead of USDoD. The data consists of two text files totaling 277GB and containing nearly 2.7 billion plaintext records instead of the original 2.9 billion. It has been reported that USDoD was a broker or middleman for the initial posting and that SXUL was responsible for the compromise.
In the statement released by NPD, the company commented that "the information that was suspected of being breached contained name, email address, phone number, social security number, and mailing address(es)". The company also stated that they believe the breach is associated with a threat actor "that was trying to hack into data in late December 2023". NPD acknowledged the leaks of data in April 2024 and summer 2024. The company stated they investigated the incident, cooperated with law enforcement, and reviewed potentially affected records, confirming if significant developments occur, they "will try to notify" the impacted individuals.
In a recent report by KrebsOnSecurity it was discovered that another NPD data broker, which shares access to the same consumer records, inadvertently published the passwords to its back-end database in a file that was freely available from its homepage until August 19th. The data broker, recordscheck.net, was hosting an archive that included the usernames and passwords for the website's administrator. A review of the archive revealed that it included source code, plain text usernames, and passwords for different components of the site, which is visually comparable to NPDs website, including identical login pages. Krebs reached out to the data broker where they received a confirmation the archive file was removed, and the site is slated to cease operations in the near future. The company also stated the archive was an old version of the site with non-working code and passwords.
eSentire's Threat Response Unit (TRU) wrote about the National Public Data breach in the August 16th edition of the Weekly Threat Briefing.
eSentire Threat Intelligence Analysis:
The leak of 2.7 billion records, including SSNs, presents significant risks for identity theft and fraud. This breach highlights persistent flaws in how companies collect, store, and protect sensitive information, particularly when data is scraped from public sources.
The confirmation from NPD does not provide significant details to what may have occurred leading up to the publishing of the stolen data. Though not confirmed, the NPD data broker which published the passwords to its back-end database, may provide insight to how a breach of NPD could have occurred if similar poor security practices were followed.
Previously observed breaches of this scale have led to long-term impacts on victims which include credit fraud, identify theft, and phishing attacks. The recurring nature of these incidents suggests that while technology has advanced, the approach to data protection remains insufficient, particularly when dealing with massive datasets involving millions of individuals. The scale of this leak is alarming and serves as a reminder of the ongoing challenges in protecting personal information in the digital age.
To mitigate risks, individuals should immediately monitor their credit reports, consider placing a credit freeze, and be vigilant against phishing attempts. Organizations should prioritize encrypting sensitive data, implementing stricter access controls, and regularly updating and securing their databases to prevent future breaches. Additionally, this incident underscores the importance of holding companies accountable for failing to safeguard personal data, which could lead to broader regulatory changes in data protection practices.
Iranian Cyber Campaigns Targeting U.S. Political Entities
Bottom Line: Iranian state-backed cyber operations pose a significant risk to the integrity of U.S. elections, potentially leading to compromised campaign data, manipulation of public opinion, and long-term damage to democratic institutions and national security.
On August 19th, the Office of the Director of National Intelligence (ODNI), the Federal Bureau of Investigation (FBI), and the Cybersecurity and Infrastructure Security Agency (CISA) issued a joint statement detailing increased Iranian efforts to influence U.S. elections. The advisory states the Intelligence Community (IC) has “observed increasingly aggressive Iranian activity during this election cycle, specifically involving influence operations targeting the American public and cyber operations targeting presidential campaigns.” This includes the recent attempts to compromise former President Trump’s campaign. The IC is confident that Iran has employed social engineering and other tactics to gain access to individuals directly connected to the presidential campaigns of both major political parties.
On August 20th, Recorded Future’s Insikt Group released a report on a cluster of malicious infrastructure associated with the Iran-backed threat group GreenCharlie, which is linked to cyber operations targeting U.S. political campaigns. This group is reportedly affiliated with Iran's Islamic Revolutionary Guard Corps’ Intelligence Organization (IRGC-IO) and shares similarities with other Iranian APTs including Mint Sandstorm, Charming Kitten, and TA453. GreenCharlie conducts espionage and surveillance using malware such as POWERSTAR, NokNok, and GORBLE, which are distributed through targeted spearphishing campaigns. Their targets include research analysts, government officials, and other high-value strategic entities, with a particular focus on U.S. political campaigns.
Additionally, the Handala cyber group, known for its connections to Iranian state-sponsored activities, recently had its account banned on X (formerly Twitter) following reports of coordinated inauthentic behavior. The group had been using the platform to spread pro-Palestinian and anti-Israeli propaganda, aligning with broader Iranian efforts to influence public opinion on geopolitical issues. Handala's online operations were characterized by the dissemination of disinformation and the amplification of divisive narratives, aiming to exploit regional tensions.
eSentire Threat Intelligence Analysis:
The recent escalation of Iranian cyber activities reflects Tehran's evolving tactics, highlighting their strategic aim to disrupt U.S. foreign policy and influence outcomes that could impact its national security interests. By intensifying efforts ahead of U.S. elections, Iran aims to shape political discourse and potentially influence voter behavior, a strategy consistent with previous interference attempts by both Iran and Russia. This reflects broader geopolitical maneuvers, where cyber and influence operations are increasingly used as strategic tools by state actors. Historically, such operations have thrived during periods of political tension, making it crucial for governments to take proactive measures to secure the integrity of elections and enhance public awareness of potential external influences.
GreenCharlie's use of sophisticated malware variants and a well-structured infrastructure, highlights its capability and intent to conduct strategic intelligence gathering, likely under the direction of the IRGC-IO. This is not an isolated incident; Iranian cyber activity targeting political entities has been observed in the past, with groups like APT35 (Charming Kitten) involved in similar operations during elections in various countries. The overlaps between GreenCharlie and other IRGC-associated groups suggest a consolidated effort by Iran to refine and expand its cyber-espionage operations, posing a significant challenge to national security and electoral integrity.
eSentire’s Threat Intelligence team conducted threat hunts, searching across customer environments for any signs of GreenCharlie’s infrastructure or associated malware variants. IP addresses related to this activity have been blocked via eSentire MDR for Network’s Global Block list. Additionally, eSentire MDR for Endpoint maintains a variety of detections to identify activity associated with Iranian cyber actors.
About the threat briefings:
The threat briefing is a weekly intelligence overview for non-technical users. The Threat Intelligence team at eSentire investigates, analyzes, and organizes the most important events of the past week along with important security tips and redistributes the findings for quick reading. The main goal of this briefing is to improve the overall awareness of readers regarding cyber security.
