Web browsers—such as Chrome, Edge, and Opera—contain a password management feature, which stores account credentials and other information entered into the login form when visiting a website, and then automatically enters them for subsequent visits. Although this auto-login feature is convenient to users, it is also a security issue. RedLine, an information-stealing malware, is downloaded and executed via an online search for software. It targets these popular web browsers, specifically the “Login Data” file, which is an SQLite database that stores the account credentials. Once the threat actors collect the stolen credentials, they can sell them on the dark web or use them in further cyberattacks. If users refuse to store their credentials in the browsers, the password management system will still add a “blacklisted” entry, indicating an account exists and enabling threat actors to conduct social engineering or credential stuffing attacks. For example, an employee connected to their organization’s VPN service and utilized the password management feature to store their VPN and other account credentials. The threat actors stole the credentials and hacked the organization’s internal network several months later.
The NJCCIC recommends users manually enter account credentials, enable multi-factor authentication (MFA) where available, and configure specific rules for sensitive or confidential websites, such as banking/financial institutions and employer/organizational portals. Further technical details and IOCs can be found in the ASEC article.