{"id":20425,"date":"2024-09-11T14:59:09","date_gmt":"2024-09-11T07:59:09","guid":{"rendered":"https:\/\/thegioifirewall.com\/?p=20323"},"modified":"2025-03-24T07:27:22","modified_gmt":"2025-03-24T07:27:22","slug":"phan-mem-tong-tien-qilin-bi-bat-qua-tang-an-cap-thong-tin-dang-nhap-duoc-luu-tru-trong-google-chrome","status":"publish","type":"post","link":"https:\/\/vacif.com\/en\/phan-mem-tong-tien-qilin-bi-bat-qua-tang-an-cap-thong-tin-dang-nhap-duoc-luu-tru-trong-google-chrome\/","title":{"rendered":"Ph\u1ea7n m\u1ec1m t\u1ed1ng ti\u1ec1n Qilin b\u1ecb b\u1eaft qu\u1ea3 tang \u0103n c\u1eafp th\u00f4ng tin \u0111\u0103ng nh\u1eadp \u0111\u01b0\u1ee3c l\u01b0u tr\u1eef trong Google Chrome"},"content":{"rendered":"\n<figure class=\"wp-block-image size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"572\" src=\"http:\/\/aws.vacif.com\/wp-content\/uploads\/sites\/3\/2024\/09\/phan-mem-tong-tien-qilin-bi-bat-qua-tang-an-cap-thong-tin-dang-nhap-duoc-luu-tru-trong-google-chrome-1024x572.png\" alt=\"\" class=\"wp-image-20325\" srcset=\"https:\/\/vacif.com\/en\/wp-content\/uploads\/sites\/3\/2024\/09\/phan-mem-tong-tien-qilin-bi-bat-qua-tang-an-cap-thong-tin-dang-nhap-duoc-luu-tru-trong-google-chrome-1024x572.png 1024w, https:\/\/vacif.com\/en\/wp-content\/uploads\/sites\/3\/2024\/09\/phan-mem-tong-tien-qilin-bi-bat-qua-tang-an-cap-thong-tin-dang-nhap-duoc-luu-tru-trong-google-chrome-600x335.png 600w, https:\/\/vacif.com\/en\/wp-content\/uploads\/sites\/3\/2024\/09\/phan-mem-tong-tien-qilin-bi-bat-qua-tang-an-cap-thong-tin-dang-nhap-duoc-luu-tru-trong-google-chrome-300x168.png 300w, https:\/\/vacif.com\/en\/wp-content\/uploads\/sites\/3\/2024\/09\/phan-mem-tong-tien-qilin-bi-bat-qua-tang-an-cap-thong-tin-dang-nhap-duoc-luu-tru-trong-google-chrome-768x429.png 768w, https:\/\/vacif.com\/en\/wp-content\/uploads\/sites\/3\/2024\/09\/phan-mem-tong-tien-qilin-bi-bat-qua-tang-an-cap-thong-tin-dang-nhap-duoc-luu-tru-trong-google-chrome.png 1275w\" sizes=\"auto, (max-width: 1024px) 100vw, 1024px\" \/><\/figure>\n\n\n\n<p>Ph\u1ea7n m\u1ec1m ransomware quen thu\u1ed9c ph\u00e1t tri\u1ec3n nhu c\u1ea7u s\u1eed d\u1ee5ng m\u1eadt kh\u1ea9u cho c\u00e1c trang web c\u1ee7a b\u00ean th\u1ee9 ba.<\/p>\n\n\n\n<p>Vi\u1ebft b\u1edfi Lee Kirkpatrick, Paul Jacobs, Harshal Gosalia, Robert Weiland<\/p>\n\n\n\n<p><a href=\"https:\/\/news.sophos.com\/en-us\/2024\/08\/22\/qilin-ransomware-caught-stealing-credentials-stored-in-google-chrome\/\"><strong>August 22, 2024<\/strong><\/a><\/p>\n\n\n\n<p>Trong m\u1ed9t cu\u1ed9c \u0111i\u1ec1u tra g\u1ea7n \u0111\u00e2y v\u1ec1 m\u1ed9t v\u1ee5 t\u1ea5n c\u00f4ng b\u1eb1ng ph\u1ea7n m\u1ec1m t\u1ed1ng ti\u1ec1n Qilin, nh\u00f3m Sophos X-Ops \u0111\u00e3 ph\u00e1t hi\u1ec7n ho\u1ea1t \u0111\u1ed9ng c\u1ee7a k\u1ebb t\u1ea5n c\u00f4ng d\u1eabn \u0111\u1ebfn vi\u1ec7c \u0111\u00e1nh c\u1eafp h\u00e0ng lo\u1ea1t th\u00f4ng tin \u0111\u0103ng nh\u1eadp \u0111\u01b0\u1ee3c l\u01b0u tr\u1eef trong tr\u00ecnh duy\u1ec7t Google Chrome tr\u00ean m\u1ed9t s\u1ed1 thi\u1ebft b\u1ecb \u0111\u1ea7u cu\u1ed1i c\u1ee7a m\u1ea1ng &#8211; m\u1ed9t k\u1ef9 thu\u1eadt thu th\u1eadp th\u00f4ng tin \u0111\u0103ng nh\u1eadp c\u00f3 th\u1ec3 g\u00e2y ra h\u1eadu qu\u1ea3 v\u01b0\u1ee3t xa t\u1ed5 ch\u1ee9c n\u1ea1n nh\u00e2n ban \u0111\u1ea7u. \u0110\u00e2y l\u00e0 m\u1ed9t chi\u1ebfn thu\u1eadt kh\u00f4ng th\u01b0\u1eddng th\u1ea5y, v\u00e0 c\u00f3 th\u1ec3 l\u00e0 m\u1ed9t y\u1ebfu t\u1ed1 nh\u00e2n r\u1ed9ng th\u00eam s\u1ef1 h\u1ed7n lo\u1ea1n v\u1ed1n \u0111\u00e3 c\u00f3 s\u1eb5n trong c\u00e1c t\u00ecnh hu\u1ed1ng b\u1ecb t\u1ea5n c\u00f4ng b\u1eb1ng ph\u1ea7n m\u1ec1m t\u1ed1ng ti\u1ec1n.<\/p>\n\n\n\n<p><strong>Qilin l\u00e0 c\u00e1i g\u00ec?<\/strong><\/p>\n\n\n\n<p>Nh\u00f3m ph\u1ea7n m\u1ec1m t\u1ed1ng ti\u1ec1n Qilin \u0111\u00e3 ho\u1ea1t \u0111\u1ed9ng \u0111\u01b0\u1ee3c h\u01a1n hai n\u0103m. H\u1ecd xu\u1ea5t hi\u1ec7n tr\u00ean tin t\u1ee9c v\u00e0o th\u00e1ng 6 n\u0103m 2024 do S, m\u1ed9t nh\u00e0 cung c\u1ea5p d\u1ecbch v\u1ee5 ch\u00ednh ph\u1ee7 cho nhi\u1ec1u c\u01a1 s\u1edf y t\u1ebf v\u00e0 b\u1ec7nh vi\u1ec7n \u1edf V\u01b0\u01a1ng qu\u1ed1c Anh.<\/p>\n\n\n\n<p>Tr\u01b0\u1edbc ho\u1ea1t \u0111\u1ed9ng \u0111\u01b0\u1ee3c m\u00f4 t\u1ea3 trong b\u00e0i vi\u1ebft n\u00e0y, c\u00e1c cu\u1ed9c t\u1ea5n c\u00f4ng c\u1ee7a Qilin th\u01b0\u1eddng li\u00ean quan \u0111\u1ebfn &#8220;t\u1ed1ng ti\u1ec1n k\u00e9p&#8221; &#8211; t\u1ee9c l\u00e0 \u0111\u00e1nh c\u1eafp d\u1eef li\u1ec7u c\u1ee7a n\u1ea1n nh\u00e2n, m\u00e3 h\u00f3a h\u1ec7 th\u1ed1ng c\u1ee7a h\u1ecd, v\u00e0 sau \u0111\u00f3 \u0111e d\u1ecda ti\u1ebft l\u1ed9 ho\u1eb7c b\u00e1n d\u1eef li\u1ec7u b\u1ecb \u0111\u00e1nh c\u1eafp n\u1ebfu n\u1ea1n nh\u00e2n kh\u00f4ng tr\u1ea3 ti\u1ec1n \u0111\u1ec3 l\u1ea5y kh\u00f3a gi\u1ea3i m\u00e3. \u0110\u00e2y l\u00e0 m\u1ed9t chi\u1ebfn thu\u1eadt \u0111\u00e3 \u0111\u01b0\u1ee3c th\u1ea3o lu\u1eadn trong nghi\u00ean c\u1ee9u &#8220;<a href=\"https:\/\/news.sophos.com\/en-us\/2024\/08\/06\/turning-the-screws-the-pressure-tactics-of-ransomware-gangs\/\">Turning the Screws<\/a>&#8221; g\u1ea7n \u0111\u00e2y.<\/p>\n\n\n\n<p>Nh\u00f3m Sophos IR quan s\u00e1t th\u1ea5y ho\u1ea1t \u0111\u1ed9ng \u0111\u01b0\u1ee3c m\u00f4 t\u1ea3 trong b\u00e0i vi\u1ebft n\u00e0y v\u00e0o th\u00e1ng 7 n\u0103m 2024. \u0110\u1ec3 cung c\u1ea5p b\u1ed1i c\u1ea3nh, ho\u1ea1t \u0111\u1ed9ng n\u00e0y \u0111\u01b0\u1ee3c ph\u00e1t hi\u1ec7n tr\u00ean m\u1ed9t b\u1ed9 \u0111i\u1ec1u khi\u1ec3n t\u00ean mi\u1ec1n (domain controller) trong mi\u1ec1n Active Directory c\u1ee7a m\u1ee5c ti\u00eau. C\u00e1c b\u1ed9 \u0111i\u1ec1u khi\u1ec3n t\u00ean mi\u1ec1n kh\u00e1c trong mi\u1ec1n AD \u0111\u00f3 c\u0169ng b\u1ecb nhi\u1ec5m, nh\u01b0ng b\u1ecb \u1ea3nh h\u01b0\u1edfng kh\u00e1c nhau b\u1edfi Qilin.<\/p>\n\n\n\n<p><strong>Di\u1ec5n t\u1eadp m\u1edf m\u00e0n<\/strong><\/p>\n\n\n\n<p>K\u1ebb t\u1ea5n c\u00f4ng \u0111\u00e3 x\u00e2m nh\u1eadp ban \u0111\u1ea7u v\u00e0o m\u00f4i tr\u01b0\u1eddng th\u00f4ng qua th\u00f4ng tin \u0111\u0103ng nh\u1eadp b\u1ecb x\u00e2m ph\u1ea1m. \u0110\u00e1ng ti\u1ebfc l\u00e0 ph\u01b0\u01a1ng ph\u00e1p x\u00e2m nh\u1eadp ban \u0111\u1ea7u n\u00e0y kh\u00f4ng ph\u1ea3i l\u00e0 m\u1edbi \u0111\u1ed1i v\u1edbi Qilin (hay c\u00e1c nh\u00f3m ph\u1ea7n m\u1ec1m t\u1ed1ng ti\u1ec1n kh\u00e1c). Cu\u1ed9c \u0111i\u1ec1u tra c\u1ee7a ch\u00fang t\u00f4i cho th\u1ea5y c\u1ed5ng VPN thi\u1ebfu b\u1ea3o v\u1ec7 x\u00e1c th\u1ef1c \u0111a y\u1ebfu t\u1ed1 (MFA).<\/p>\n\n\n\n<p>Th\u1eddi gian \u1ea9n n\u00e1u c\u1ee7a k\u1ebb t\u1ea5n c\u00f4ng gi\u1eefa l\u00fac x\u00e2m nh\u1eadp ban \u0111\u1ea7u v\u00e0o m\u1ea1ng v\u00e0 c\u00e1c h\u00e0nh \u0111\u1ed9ng ti\u1ebfp theo l\u00e0 18 ng\u00e0y, \u0111i\u1ec1u n\u00e0y c\u00f3 th\u1ec3 ho\u1eb7c kh\u00f4ng cho th\u1ea5y m\u1ed9t Nh\u00e0 m\u00f4i gi\u1edbi Truy c\u1eadp Ban \u0111\u1ea7u (IAB) \u0111\u00e3 th\u1ef1c hi\u1ec7n cu\u1ed9c x\u00e2m nh\u1eadp th\u1ef1c s\u1ef1. D\u00f9 sao \u0111i n\u1eefa, 18 ng\u00e0y sau khi x\u00e2m nh\u1eadp ban \u0111\u1ea7u x\u1ea3y ra, ho\u1ea1t \u0111\u1ed9ng c\u1ee7a k\u1ebb t\u1ea5n c\u00f4ng tr\u00ean h\u1ec7 th\u1ed1ng t\u0103ng l\u00ean, v\u1edbi c\u00e1c d\u1ea5u v\u1ebft cho th\u1ea5y s\u1ef1 di chuy\u1ec3n ngang \u0111\u1ebfn m\u1ed9t b\u1ed9 \u0111i\u1ec1u khi\u1ec3n t\u00ean mi\u1ec1n s\u1eed d\u1ee5ng th\u00f4ng tin \u0111\u0103ng nh\u1eadp b\u1ecb x\u00e2m ph\u1ea1m.<\/p>\n\n\n\n<p>Khi k\u1ebb t\u1ea5n c\u00f4ng \u0111\u00e3 \u0111\u1ebfn \u0111\u01b0\u1ee3c b\u1ed9 \u0111i\u1ec1u khi\u1ec3n t\u00ean mi\u1ec1n \u0111\u00f3, h\u1ecd ch\u1ec9nh s\u1eeda ch\u00ednh s\u00e1ch t\u00ean mi\u1ec1n m\u1eb7c \u0111\u1ecbnh \u0111\u1ec3 \u0111\u01b0a v\u00e0o m\u1ed9t \u0110\u1ed1i t\u01b0\u1ee3ng Ch\u00ednh s\u00e1ch Nh\u00f3m (GPO) d\u1ef1a tr\u00ean \u0111\u0103ng nh\u1eadp ch\u1ee9a hai m\u1ee5c. M\u1ee5c \u0111\u1ea7u ti\u00ean, m\u1ed9t script PowerShell c\u00f3 t\u00ean IPScanner.ps1, \u0111\u01b0\u1ee3c vi\u1ebft v\u00e0o m\u1ed9t th\u01b0 m\u1ee5c t\u1ea1m th\u1eddi trong chia s\u1ebb SYSVOL (SYStem VOLume) (th\u01b0 m\u1ee5c NTFS \u0111\u01b0\u1ee3c chia s\u1ebb n\u1eb1m tr\u00ean m\u1ed7i b\u1ed9 \u0111i\u1ec1u khi\u1ec3n t\u00ean mi\u1ec1n trong m\u1ed9t mi\u1ec1n Active Directory) tr\u00ean b\u1ed9 \u0111i\u1ec1u khi\u1ec3n t\u00ean mi\u1ec1n c\u1ee5 th\u1ec3 li\u00ean quan. N\u00f3 ch\u1ee9a m\u1ed9t script 19 d\u00f2ng c\u1ed1 g\u1eafng thu th\u1eadp d\u1eef li\u1ec7u th\u00f4ng tin \u0111\u0103ng nh\u1eadp \u0111\u01b0\u1ee3c l\u01b0u tr\u1eef trong tr\u00ecnh duy\u1ec7t Chrome.<\/p>\n\n\n\n<p>M\u1ee5c th\u1ee9 hai, m\u1ed9t script batch c\u00f3 t\u00ean logon.bat, ch\u1ee9a c\u00e1c l\u1ec7nh \u0111\u1ec3 th\u1ef1c thi script \u0111\u1ea7u ti\u00ean. S\u1ef1 k\u1ebft h\u1ee3p n\u00e0y d\u1eabn \u0111\u1ebfn vi\u1ec7c thu th\u1eadp th\u00f4ng tin \u0111\u0103ng nh\u1eadp \u0111\u01b0\u1ee3c l\u01b0u trong tr\u00ecnh duy\u1ec7t Chrome tr\u00ean c\u00e1c m\u00e1y t\u00ednh \u0111\u01b0\u1ee3c k\u1ebft n\u1ed1i v\u1edbi m\u1ea1ng. V\u00ec hai script n\u00e0y n\u1eb1m trong m\u1ed9t GPO \u0111\u0103ng nh\u1eadp, ch\u00fang s\u1ebd \u0111\u01b0\u1ee3c th\u1ef1c thi tr\u00ean m\u1ed7i m\u00e1y kh\u00e1ch khi n\u00f3 \u0111\u0103ng nh\u1eadp.<\/p>\n\n\n\n<p><strong>Tr\u00ean c\u00e1c Endpoint.<\/strong><\/p>\n\n\n\n<p>B\u1ea5t c\u1ee9 khi n\u00e0o \u0111\u0103ng nh\u1eadp x\u1ea3y ra tr\u00ean m\u1ed9t \u0111i\u1ec3m cu\u1ed1i, logon.bat s\u1ebd kh\u1edfi ch\u1ea1y t\u1eadp l\u1ec7nh IPScanner.ps1, t\u1eadp l\u1ec7nh n\u00e0y l\u1ea7n l\u01b0\u1ee3t t\u1ea1o ra hai t\u1ec7p \u2013 m\u1ed9t t\u1ec7p c\u01a1 s\u1edf d\u1eef li\u1ec7u SQLite c\u00f3 t\u00ean LD v\u00e0 m\u1ed9t t\u1ec7p v\u0103n b\u1ea3n c\u00f3 t\u00ean temp.log, nh\u01b0 trong H\u00ecnh 1.<\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><img decoding=\"async\" src=\"http:\/\/aws.vacif.com\/wp-content\/uploads\/sites\/3\/2024\/09\/phan-mem-tong-tien-qilin-bi-bat-qua-tang-an-cap-thong-tin-dang-nhap-duoc-luu-tru-trong-google-chrome-1-1024x389.png\" alt=\"\" class=\"wp-image-20327\"\/><\/figure>\n\n\n\n<p>H\u00ecnh 1: Ch\u00fang t\u00f4i g\u1ecdi thi\u1ebft b\u1ecb demo n\u00e0y l\u00e0 Hemlock v\u00ec n\u00f3 \u0111\u1ed9c h\u1ea1i: Hai t\u1ec7p \u0111\u01b0\u1ee3c t\u1ea1o b\u1edfi t\u1eadp l\u1ec7nh kh\u1edfi \u0111\u1ed9ng tr\u00ean m\u00e1y b\u1ecb nhi\u1ec5m<\/p>\n\n\n\n<p>C\u00e1c t\u1ec7p n\u00e0y \u0111\u01b0\u1ee3c ghi l\u1ea1i v\u00e0o th\u01b0 m\u1ee5c m\u1edbi \u0111\u01b0\u1ee3c t\u1ea1o tr\u00ean ph\u1ea7n chia s\u1ebb SYSVOL c\u1ee7a mi\u1ec1n v\u00e0 \u0111\u01b0\u1ee3c \u0111\u1eb7t t\u00ean theo t\u00ean m\u00e1y ch\u1ee7 c\u1ee7a (c\u00e1c) thi\u1ebft b\u1ecb m\u00e0 ch\u00fang \u0111\u01b0\u1ee3c th\u1ef1c thi tr\u00ean \u0111\u00f3 (trong v\u00ed d\u1ee5 c\u1ee7a ch\u00fang t\u00f4i l\u00e0 Hemlock<\/p>\n\n\n\n<p>T\u1ec7p c\u01a1 s\u1edf d\u1eef li\u1ec7u LD ch\u1ee9a c\u1ea5u tr\u00fac nh\u01b0 trong H\u00ecnh 2.<\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><img decoding=\"async\" src=\"http:\/\/aws.vacif.com\/wp-content\/uploads\/sites\/3\/2024\/09\/phan-mem-tong-tien-qilin-bi-bat-qua-tang-an-cap-thong-tin-dang-nhap-duoc-luu-tru-trong-google-chrome-2-1024x925.png\" alt=\"\" class=\"wp-image-20328\"\/><\/figure>\n\n\n\n<p>H\u00ecnh 2: B\u00ean trong LD, t\u1ec7p c\u01a1 s\u1edf d\u1eef li\u1ec7u SQLite \u0111\u01b0\u1ee3c th\u1ea3 v\u00e0o SYSVOL<\/p>\n\n\n\n<p>Th\u1ec3 hi\u1ec7n s\u1ef1 t\u1ef1 tin r\u1eb1ng h\u1ecd s\u1ebd kh\u00f4ng b\u1ecb b\u1eaft ho\u1eb7c m\u1ea5t quy\u1ec1n truy c\u1eadp v\u00e0o m\u1ea1ng, k\u1ebb t\u1ea5n c\u00f4ng \u0111\u00e3 \u0111\u1ec3 GPO n\u00e0y ho\u1ea1t \u0111\u1ed9ng tr\u00ean m\u1ea1ng trong h\u01a1n ba ng\u00e0y. \u0110i\u1ec1u n\u00e0y t\u1ea1o c\u01a1 h\u1ed9i \u0111\u1ea7y \u0111\u1ee7 cho ng\u01b0\u1eddi d\u00f9ng \u0111\u0103ng nh\u1eadp v\u00e0o thi\u1ebft b\u1ecb c\u1ee7a h\u1ecd v\u00e0, m\u00e0 h\u1ecd kh\u00f4ng h\u1ec1 bi\u1ebft, k\u00edch ho\u1ea1t script thu th\u1eadp th\u00f4ng tin \u0111\u0103ng nh\u1eadp tr\u00ean h\u1ec7 th\u1ed1ng c\u1ee7a h\u1ecd. M\u1ed9t l\u1ea7n n\u1eefa, v\u00ec t\u1ea5t c\u1ea3 \u0111i\u1ec1u n\u00e0y \u0111\u01b0\u1ee3c th\u1ef1c hi\u1ec7n b\u1eb1ng GPO \u0111\u0103ng nh\u1eadp, m\u1ed7i ng\u01b0\u1eddi d\u00f9ng s\u1ebd tr\u1ea3i qua vi\u1ec7c thu th\u1eadp th\u00f4ng tin \u0111\u0103ng nh\u1eadp n\u00e0y m\u1ed7i khi h\u1ecd \u0111\u0103ng nh\u1eadp.<\/p>\n\n\n\n<p>\u0110\u1ec3 g\u00e2y kh\u00f3 kh\u0103n h\u01a1n trong vi\u1ec7c \u0111\u00e1nh gi\u00e1 m\u1ee9c \u0111\u1ed9 x\u00e2m ph\u1ea1m, sau khi c\u00e1c t\u1ec7p ch\u1ee9a th\u00f4ng tin \u0111\u0103ng nh\u1eadp \u0111\u00e3 thu th\u1eadp b\u1ecb \u0111\u00e1nh c\u1eafp v\u00e0 chuy\u1ec3n ra ngo\u00e0i, k\u1ebb t\u1ea5n c\u00f4ng \u0111\u00e3 x\u00f3a t\u1ea5t c\u1ea3 c\u00e1c t\u1ec7p v\u00e0 x\u00f3a s\u1ea1ch nh\u1eadt k\u00fd s\u1ef1 ki\u1ec7n cho c\u1ea3 b\u1ed9 \u0111i\u1ec1u khi\u1ec3n t\u00ean mi\u1ec1n v\u00e0 c\u00e1c m\u00e1y b\u1ecb nhi\u1ec5m. Sau khi x\u00f3a b\u1eb1ng ch\u1ee9ng, h\u1ecd ti\u1ebfn h\u00e0nh m\u00e3 h\u00f3a c\u00e1c t\u1ec7p v\u00e0 th\u1ea3 th\u00f4ng b\u00e1o \u0111\u00f2i ti\u1ec1n chu\u1ed9c, nh\u01b0 \u0111\u01b0\u1ee3c hi\u1ec3n th\u1ecb trong H\u00ecnh 3. Ph\u1ea7n m\u1ec1m t\u1ed1ng ti\u1ec1n n\u00e0y \u0111\u1ec3 l\u1ea1i m\u1ed9t b\u1ea3n sao c\u1ee7a th\u00f4ng b\u00e1o trong m\u1ed7i th\u01b0 m\u1ee5c tr\u00ean thi\u1ebft b\u1ecb m\u00e0 n\u00f3 ch\u1ea1y.<\/p>\n\n\n\n<figure class=\"wp-block-image size-full\"><img decoding=\"async\" src=\"http:\/\/aws.vacif.com\/wp-content\/uploads\/sites\/3\/2024\/09\/phan-mem-tong-tien-qilin-bi-bat-qua-tang-an-cap-thong-tin-dang-nhap-duoc-luu-tru-trong-google-chrome-3.png\" alt=\"\" class=\"wp-image-20329\"\/><\/figure>\n\n\n\n<p>H\u00ecnh 3: Th\u00f4ng b\u00e1o \u0111\u00f2i ti\u1ec1n chu\u1ed9c Qilin<\/p>\n\n\n\n<p>Nh\u00f3m Qilin l\u1ea1i s\u1eed d\u1ee5ng GPO l\u00e0m c\u01a1 ch\u1ebf t\u00e1c \u0111\u1ed9ng \u0111\u1ebfn m\u1ea1ng b\u1eb1ng c\u00e1ch y\u00eau c\u1ea7u n\u00f3 t\u1ea1o m\u1ed9t t\u00e1c v\u1ee5 theo l\u1ecbch tr\u00ecnh \u0111\u1ec3 ch\u1ea1y m\u1ed9t t\u1ec7p b\u00f3 c\u00f3 t\u00ean run.bat, t\u1ec7p n\u00e0y \u0111\u00e3 t\u1ea3i xu\u1ed1ng v\u00e0 th\u1ef1c thi ph\u1ea7n m\u1ec1m ransomware.<\/p>\n\n\n\n<p><strong>S\u1ef1 va ch\u1ea1m<\/strong><\/p>\n\n\n\n<p>Trong cu\u1ed9c t\u1ea5n c\u00f4ng n\u00e0y, script IPScanner.ps1 nh\u1eafm v\u00e0o tr\u00ecnh duy\u1ec7t Chrome &#8211; v\u1ec1 m\u1eb7t th\u1ed1ng k\u00ea \u0111\u00e2y l\u00e0 l\u1ef1a ch\u1ecdn c\u00f3 kh\u1ea3 n\u0103ng mang l\u1ea1i nhi\u1ec1u m\u1eadt kh\u1ea9u nh\u1ea5t, v\u00ec Chrome hi\u1ec7n chi\u1ebfm h\u01a1n 65 ph\u1ea7n tr\u0103m th\u1ecb ph\u1ea7n tr\u00ecnh duy\u1ec7t. S\u1ef1 th\u00e0nh c\u00f4ng c\u1ee7a m\u1ed7i n\u1ed7 l\u1ef1c s\u1ebd ph\u1ee5 thu\u1ed9c v\u00e0o ch\u00ednh x\u00e1c nh\u1eefng th\u00f4ng tin \u0111\u0103ng nh\u1eadp m\u00e0 m\u1ed7i ng\u01b0\u1eddi d\u00f9ng \u0111ang l\u01b0u tr\u1eef trong tr\u00ecnh duy\u1ec7t. (V\u1ec1 s\u1ed1 l\u01b0\u1ee3ng m\u1eadt kh\u1ea9u c\u00f3 th\u1ec3 thu \u0111\u01b0\u1ee3c t\u1eeb m\u1ed7i m\u00e1y b\u1ecb nhi\u1ec5m, m\u1ed9t kh\u1ea3o s\u00e1t g\u1ea7n \u0111\u00e2y cho th\u1ea5y trung b\u00ecnh m\u1ed7i ng\u01b0\u1eddi d\u00f9ng c\u00f3 87 m\u1eadt kh\u1ea9u li\u00ean quan \u0111\u1ebfn c\u00f4ng vi\u1ec7c, v\u00e0 kho\u1ea3ng g\u1ea5p \u0111\u00f4i s\u1ed1 \u0111\u00f3 l\u00e0 m\u1eadt kh\u1ea9u c\u00e1 nh\u00e2n.)<\/p>\n\n\n\n<p>M\u1ed9t cu\u1ed9c x\u00e2m ph\u1ea1m th\u00e0nh c\u00f4ng ki\u1ec3u n\u00e0y c\u00f3 ngh\u0129a l\u00e0 kh\u00f4ng ch\u1ec9 c\u00e1c nh\u00e0 b\u1ea3o v\u1ec7 ph\u1ea3i thay \u0111\u1ed5i t\u1ea5t c\u1ea3 m\u1eadt kh\u1ea9u Active Directory; v\u1ec1 l\u00fd thuy\u1ebft, h\u1ecd c\u0169ng n\u00ean y\u00eau c\u1ea7u ng\u01b0\u1eddi d\u00f9ng cu\u1ed1i thay \u0111\u1ed5i m\u1eadt kh\u1ea9u c\u1ee7a h\u1ecd cho h\u00e0ng ch\u1ee5c, c\u00f3 th\u1ec3 h\u00e0ng tr\u0103m trang web c\u1ee7a b\u00ean th\u1ee9 ba m\u00e0 ng\u01b0\u1eddi d\u00f9ng \u0111\u00e3 l\u01b0u t\u1ed5 h\u1ee3p t\u00ean ng\u01b0\u1eddi d\u00f9ng-m\u1eadt kh\u1ea9u trong tr\u00ecnh duy\u1ec7t Chrome. T\u1ea5t nhi\u00ean, c\u00e1c nh\u00e0 b\u1ea3o v\u1ec7 s\u1ebd kh\u00f4ng c\u00f3 c\u00e1ch n\u00e0o b\u1eaft ng\u01b0\u1eddi d\u00f9ng l\u00e0m \u0111i\u1ec1u \u0111\u00f3. V\u1ec1 tr\u1ea3i nghi\u1ec7m c\u1ee7a ng\u01b0\u1eddi d\u00f9ng cu\u1ed1i, m\u1eb7c d\u00f9 h\u1ea7u nh\u01b0 m\u1ecdi ng\u01b0\u1eddi d\u00f9ng internet \u1edf th\u1eddi \u0111i\u1ec3m n\u00e0y \u0111\u1ec1u \u0111\u00e3 nh\u1eadn \u0111\u01b0\u1ee3c \u00edt nh\u1ea5t m\u1ed9t th\u00f4ng b\u00e1o &#8220;th\u00f4ng tin c\u1ee7a b\u1ea1n \u0111\u00e3 b\u1ecb x\u00e2m ph\u1ea1m&#8221; t\u1eeb m\u1ed9t trang web \u0111\u00e3 m\u1ea5t ki\u1ec3m so\u00e1t d\u1eef li\u1ec7u c\u1ee7a ng\u01b0\u1eddi d\u00f9ng, nh\u01b0ng trong t\u00ecnh hu\u1ed1ng n\u00e0y th\u00ec ng\u01b0\u1ee3c l\u1ea1i &#8211; m\u1ed9t ng\u01b0\u1eddi d\u00f9ng, h\u00e0ng ch\u1ee5c ho\u1eb7c h\u00e0ng tr\u0103m v\u1ee5 x\u00e2m ph\u1ea1m ri\u00eang bi\u1ec7t.<\/p>\n\n\n\n<p>C\u00f3 l\u1ebd \u0111i\u1ec1u th\u00fa v\u1ecb l\u00e0, trong cu\u1ed9c t\u1ea5n c\u00f4ng c\u1ee5 th\u1ec3 n\u00e0y, c\u00e1c b\u1ed9 \u0111i\u1ec1u khi\u1ec3n t\u00ean mi\u1ec1n kh\u00e1c trong c\u00f9ng mi\u1ec1n Active Directory \u0111\u00e3 b\u1ecb m\u00e3 h\u00f3a, nh\u01b0ng b\u1ed9 \u0111i\u1ec1u khi\u1ec3n t\u00ean mi\u1ec1n n\u01a1i GPO c\u1ee5 th\u1ec3 n\u00e0y \u0111\u01b0\u1ee3c c\u1ea5u h\u00ecnh ban \u0111\u1ea7u l\u1ea1i kh\u00f4ng b\u1ecb m\u00e3 h\u00f3a b\u1edfi ph\u1ea7n m\u1ec1m t\u1ed1ng ti\u1ec1n. \u0110i\u1ec1u n\u00e0y c\u00f3 th\u1ec3 l\u00e0 g\u00ec &#8211; m\u1ed9t sai s\u00f3t, m\u1ed9t s\u01a1 su\u1ea5t, hay vi\u1ec7c ki\u1ec3m tra A\/B c\u1ee7a k\u1ebb t\u1ea5n c\u00f4ng &#8211; n\u1eb1m ngo\u00e0i ph\u1ea1m vi \u0111i\u1ec1u tra c\u1ee7a ch\u00fang t\u00f4i (v\u00e0 b\u00e0i \u0111\u0103ng n\u00e0y).<\/p>\n\n\n\n<p><strong>Ph\u1ea7n k\u1ebft lu\u1eadn<\/strong><\/p>\n\n\n\n<p>C\u00f3 th\u1ec3 d\u1ef1 \u0111o\u00e1n \u0111\u01b0\u1ee3c, c\u00e1c nh\u00f3m ransomware ti\u1ebfp t\u1ee5c thay \u0111\u1ed5i chi\u1ebfn thu\u1eadt v\u00e0 m\u1edf r\u1ed9ng c\u00e1c k\u1ef9 thu\u1eadt c\u1ee7a ch\u00fang. Nh\u00f3m ransomware Qilin c\u00f3 th\u1ec3 \u0111\u00e3 quy\u1ebft \u0111\u1ecbnh r\u1eb1ng, ch\u1ec9 b\u1eb1ng c\u00e1ch nh\u1eafm m\u1ee5c ti\u00eau v\u00e0o t\u00e0i s\u1ea3n m\u1ea1ng c\u1ee7a c\u00e1c t\u1ed5 ch\u1ee9c m\u1ee5c ti\u00eau, h\u1ecd \u0111\u00e3 b\u1ecf l\u1ee1 c\u01a1 h\u1ed9i.&nbsp;<\/p>\n\n\n\n<p>N\u1ebfu h\u1ecd ho\u1eb7c nh\u1eefng k\u1ebb t\u1ea5n c\u00f4ng kh\u00e1c c\u0169ng quy\u1ebft \u0111\u1ecbnh khai th\u00e1c th\u00f4ng tin x\u00e1c th\u1ef1c \u0111\u01b0\u1ee3c l\u01b0u tr\u1eef \u1edf \u0111i\u1ec3m cu\u1ed1i \u2013 \u0111i\u1ec1u n\u00e0y c\u00f3 th\u1ec3 t\u1ea1o c\u01a1 h\u1ed9i cho m\u1ee5c ti\u00eau ti\u1ebfp theo ho\u1eb7c kho th\u00f4ng tin v\u1ec1 c\u00e1c m\u1ee5c ti\u00eau c\u00f3 gi\u00e1 tr\u1ecb cao s\u1ebd b\u1ecb khai th\u00e1c b\u1eb1ng c\u00e1c ph\u01b0\u01a1ng ti\u1ec7n kh\u00e1c \u2013 th\u00ec m\u1ed9t \u0111i\u1ec1u \u0111en t\u1ed1i m\u1edbi ch\u01b0\u01a1ng c\u00f3 th\u1ec3 \u0111\u00e3 m\u1edf ra trong c\u00e2u chuy\u1ec7n \u0111ang di\u1ec5n ra v\u1ec1 t\u1ed9i ph\u1ea1m m\u1ea1ng.<\/p>\n\n\n\n<p><strong>L\u1eddi c\u1ea3m \u01a1n<\/strong><\/p>\n\n\n\n<p>Anand Ajjan c\u1ee7a SophosLabs, c\u0169ng nh\u01b0 Ollie Jones v\u00e0 Alexander Giles t\u1eeb nh\u00f3m \u1ee8ng ph\u00f3 s\u1ef1 c\u1ed1, \u0111\u00e3 \u0111\u00f3ng g\u00f3p cho ph\u00e2n t\u00edch n\u00e0y.<\/p>\n\n\n\n<p><strong>Ph\u1ea3n h\u1ed3i v\u00e0 kh\u1eafc ph\u1ee5c<\/strong><\/p>\n\n\n\n<p>C\u00e1c t\u1ed5 ch\u1ee9c v\u00e0 c\u00e1 nh\u00e2n n\u00ean d\u1ef1a v\u00e0o c\u00e1c \u1ee9ng d\u1ee5ng qu\u1ea3n l\u00fd m\u1eadt kh\u1ea9u s\u1eed d\u1ee5ng c\u00e1c ph\u01b0\u01a1ng ph\u00e1p hay nh\u1ea5t trong ng\u00e0nh \u0111\u1ec3 ph\u00e1t tri\u1ec3n ph\u1ea7n m\u1ec1m v\u00e0 \u0111\u01b0\u1ee3c b\u00ean th\u1ee9 ba \u0111\u1ed9c l\u1eadp ki\u1ec3m tra th\u01b0\u1eddng xuy\u00ean. Vi\u1ec7c s\u1eed d\u1ee5ng tr\u00ecnh qu\u1ea3n l\u00fd m\u1eadt kh\u1ea9u d\u1ef1a tr\u00ean tr\u00ecnh duy\u1ec7t \u0111\u00e3 nhi\u1ec1u l\u1ea7n \u0111\u01b0\u1ee3c ch\u1ee9ng minh l\u00e0 kh\u00f4ng an to\u00e0n, v\u1edbi b\u00e0i vi\u1ebft n\u00e0y l\u00e0 b\u1eb1ng ch\u1ee9ng g\u1ea7n \u0111\u00e2y nh\u1ea5t.&nbsp;<\/p>\n\n\n\n<p>X\u00e1c th\u1ef1c \u0111a y\u1ebfu t\u1ed1 s\u1ebd l\u00e0 m\u1ed9t bi\u1ec7n ph\u00e1p ph\u00f2ng ng\u1eeba hi\u1ec7u qu\u1ea3 trong t\u00ecnh hu\u1ed1ng n\u00e0y, nh\u01b0 ch\u00fang t\u00f4i \u0111\u00e3 n\u00f3i \u1edf <a href=\"https:\/\/news.sophos.com\/en-us\/2024\/04\/03\/active-adversary-report-1h-2024\/\">n\u01a1i kh\u00e1c<\/a>. M\u1eb7c d\u00f9 vi\u1ec7c s\u1eed d\u1ee5ng MFA ti\u1ebfp t\u1ee5c gia t\u0103ng, m\u1ed9t nghi\u00ean c\u1ee9u Lastpass n\u0103m 2024 ch\u1ec9 ra r\u1eb1ng m\u1eb7c d\u00f9 vi\u1ec7c \u00e1p d\u1ee5ng MFA t\u1ea1i c\u00e1c c\u00f4ng ty c\u00f3 h\u01a1n 10.000 nh\u00e2n vi\u00ean l\u00e0 87% kh\u00f4ng qu\u00e1 kh\u1ee7ng khi\u1ebfp, nh\u01b0ng m\u1ee9c \u0111\u1ed9 \u00e1p d\u1ee5ng \u0111\u00f3 gi\u1ea3m nhanh ch\u00f3ng \u2013 t\u1eeb 78% \u0111\u1ed1i v\u1edbi c\u00e1c c\u00f4ng ty c\u00f3 1.001-1000 nh\u00e2n vi\u00ean. gi\u1ea3m t\u1ef7 l\u1ec7 ch\u1ea5p nh\u1eadn xu\u1ed1ng c\u00f2n 27% \u0111\u1ed1i v\u1edbi c\u00e1c doanh nghi\u1ec7p c\u00f3 25 nh\u00e2n vi\u00ean tr\u1edf xu\u1ed1ng. N\u00f3i th\u1eb3ng ra, c\u00e1c doanh nghi\u1ec7p ph\u1ea3i l\u00e0m t\u1ed1t h\u01a1n v\u00ec s\u1ef1 an to\u00e0n c\u1ee7a ch\u00ednh h\u1ecd \u2013 v\u00e0 trong tr\u01b0\u1eddng h\u1ee3p n\u00e0y l\u00e0 s\u1ef1 an to\u00e0n c\u1ee7a c\u00e1c c\u00f4ng ty kh\u00e1c.<\/p>\n\n\n\n<p>Truy v\u1ea5n Powershell.01 c\u1ee7a ch\u00fang t\u00f4i l\u00e0 c\u00f4ng c\u1ee5 x\u00e1c \u0111\u1ecbnh c\u00e1c l\u1eddi khen ng\u1ee3i PowerShell \u0111\u00e1ng ng\u1edd \u0111\u01b0\u1ee3c th\u1ef1c hi\u1ec7n trong qu\u00e1 tr\u00ecnh t\u1ea5n c\u00f4ng. Truy v\u1ea5n \u0111\u00f3 \u0111\u01b0\u1ee3c cung c\u1ea5p mi\u1ec5n ph\u00ed <a href=\"http:\/\/github.com\/SophosRapidResponse\/OSQuery\/blob\/main\/Artefacts\/PowerShell\/Powershell.01.1-%20Powershell-commands-and-scripts.sql\">tr\u00ean Github<\/a> c\u1ee7a ch\u00fang t\u00f4i, c\u00f9ng v\u1edbi nhi\u1ec1u truy v\u1ea5n kh\u00e1c.<\/p>\n\n\n\n<p>Sophos ph\u00e1t hi\u1ec7n ransomware Qilin d\u01b0\u1edbi d\u1ea1ng <strong>Troj\/Qilin-B<\/strong> v\u00e0 ph\u00e1t hi\u1ec7n h\u00e0nh vi nh\u01b0 <strong>Impact_6a &amp; Lateral_8a<\/strong>. T\u1eadp l\u1ec7nh \u0111\u01b0\u1ee3c m\u00f4 t\u1ea3 \u1edf tr\u00ean \u0111\u01b0\u1ee3c ph\u00e1t hi\u1ec7n l\u00e0 <strong>Troj\/Ransom-HDV<\/strong>.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>Ph\u1ea7n m\u1ec1m ransomware quen thu\u1ed9c ph\u00e1t tri\u1ec3n nhu c\u1ea7u s\u1eed d\u1ee5ng m\u1eadt kh\u1ea9u cho c\u00e1c trang web c\u1ee7a b\u00ean th\u1ee9 ba. Vi\u1ebft b\u1edfi Lee Kirkpatrick, Paul Jacobs, Harshal Gosalia, Robert Weiland August 22, 2024 Trong m\u1ed9t cu\u1ed9c \u0111i\u1ec1u tra g\u1ea7n \u0111\u00e2y v\u1ec1 m\u1ed9t v\u1ee5 t\u1ea5n c\u00f4ng b\u1eb1ng ph\u1ea7n m\u1ec1m t\u1ed1ng ti\u1ec1n Qilin, nh\u00f3m Sophos X-Ops [&hellip;]<\/p>\n","protected":false},"author":13,"featured_media":20325,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_eb_attr":"","ocean_post_layout":"","ocean_both_sidebars_style":"","ocean_both_sidebars_content_width":0,"ocean_both_sidebars_sidebars_width":0,"ocean_sidebar":"","ocean_second_sidebar":"","ocean_disable_margins":"enable","ocean_add_body_class":"","ocean_shortcode_before_top_bar":"","ocean_shortcode_after_top_bar":"","ocean_shortcode_before_header":"","ocean_shortcode_after_header":"","ocean_has_shortcode":"","ocean_shortcode_after_title":"","ocean_shortcode_before_footer_widgets":"","ocean_shortcode_after_footer_widgets":"","ocean_shortcode_before_footer_bottom":"","ocean_shortcode_after_footer_bottom":"","ocean_display_top_bar":"default","ocean_display_header":"default","ocean_header_style":"","ocean_center_header_left_menu":"","ocean_custom_header_template":"","ocean_custom_logo":0,"ocean_custom_retina_logo":0,"ocean_custom_logo_max_width":0,"ocean_custom_logo_tablet_max_width":0,"ocean_custom_logo_mobile_max_width":0,"ocean_custom_logo_max_height":0,"ocean_custom_logo_tablet_max_height":0,"ocean_custom_logo_mobile_max_height":0,"ocean_header_custom_menu":"","ocean_menu_typo_font_family":"","ocean_menu_typo_font_subset":"","ocean_menu_typo_font_size":0,"ocean_menu_typo_font_size_tablet":0,"ocean_menu_typo_font_size_mobile":0,"ocean_menu_typo_font_size_unit":"px","ocean_menu_typo_font_weight":"","ocean_menu_typo_font_weight_tablet":"","ocean_menu_typo_font_weight_mobile":"","ocean_menu_typo_transform":"","ocean_menu_typo_transform_tablet":"","ocean_menu_typo_transform_mobile":"","ocean_menu_typo_line_height":0,"ocean_menu_typo_line_height_tablet":0,"ocean_menu_typo_line_height_mobile":0,"ocean_menu_typo_line_height_unit":"","ocean_menu_typo_spacing":0,"ocean_menu_typo_spacing_tablet":0,"ocean_menu_typo_spacing_mobile":0,"ocean_menu_typo_spacing_unit":"","ocean_menu_link_color":"","ocean_menu_link_color_hover":"","ocean_menu_link_color_active":"","ocean_menu_link_background":"","ocean_menu_link_hover_background":"","ocean_menu_link_active_background":"","ocean_menu_social_links_bg":"","ocean_menu_social_hover_links_bg":"","ocean_menu_social_links_color":"","ocean_menu_social_hover_links_color":"","ocean_disable_title":"default","ocean_disable_heading":"default","ocean_post_title":"","ocean_post_subheading":"","ocean_post_title_style":"","ocean_post_title_background_color":"","ocean_post_title_background":0,"ocean_post_title_bg_image_position":"","ocean_post_title_bg_image_attachment":"","ocean_post_title_bg_image_repeat":"","ocean_post_title_bg_image_size":"","ocean_post_title_height":0,"ocean_post_title_bg_overlay":0.5,"ocean_post_title_bg_overlay_color":"","ocean_disable_breadcrumbs":"default","ocean_breadcrumbs_color":"","ocean_breadcrumbs_separator_color":"","ocean_breadcrumbs_links_color":"","ocean_breadcrumbs_links_hover_color":"","ocean_display_footer_widgets":"default","ocean_display_footer_bottom":"default","ocean_custom_footer_template":"","ocean_post_oembed":"","ocean_post_self_hosted_media":"","ocean_post_video_embed":"","ocean_link_format":"","ocean_link_format_target":"self","ocean_quote_format":"","ocean_quote_format_link":"post","ocean_gallery_link_images":"on","ocean_gallery_id":[],"footnotes":""},"categories":[80,10],"tags":[494,92],"class_list":["post-20425","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-huong-dan-tai-lieu","category-tin-tuc","tag-qilin","tag-ransomware","entry","has-media"],"_links":{"self":[{"href":"https:\/\/vacif.com\/en\/wp-json\/wp\/v2\/posts\/20425","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/vacif.com\/en\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/vacif.com\/en\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/vacif.com\/en\/wp-json\/wp\/v2\/users\/13"}],"replies":[{"embeddable":true,"href":"https:\/\/vacif.com\/en\/wp-json\/wp\/v2\/comments?post=20425"}],"version-history":[{"count":1,"href":"https:\/\/vacif.com\/en\/wp-json\/wp\/v2\/posts\/20425\/revisions"}],"predecessor-version":[{"id":20582,"href":"https:\/\/vacif.com\/en\/wp-json\/wp\/v2\/posts\/20425\/revisions\/20582"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/vacif.com\/en\/wp-json\/wp\/v2\/media\/20325"}],"wp:attachment":[{"href":"https:\/\/vacif.com\/en\/wp-json\/wp\/v2\/media?parent=20425"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/vacif.com\/en\/wp-json\/wp\/v2\/categories?post=20425"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/vacif.com\/en\/wp-json\/wp\/v2\/tags?post=20425"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}