TL;DR: Qilin’s typical intrusion path mixes stolen credentials, phishing, exposed VPN and RDP access, and exploitation of common perimeter and remote service weaknesses, according to Cybertrust Japan’s analysis of incidents around Asahi GHD. The pattern shows that identity, remote access, and vulnerability management failures are still being chained together faster than many security programmes can break them.
NHIMG editorial — based on content published by Cybertrust Japan: Qilin ransomware group TTP analysis and identity exposure patterns
By the numbers:
- Qilin had 151 attacks posted recently and was targeting multiple industries across several countries.
Questions worth separating out
Q: What breaks when exposed credentials and remote access are both present in a ransomware environment?
A: When exposed credentials and reachable remote access coexist, the attacker does not need to defeat authentication in a complex way.
Q: Why do VPNs, RDP, and appliance portals create such high ransomware risk?
A: They create high ransomware risk because they sit at the boundary between the internet and trusted internal systems.
Q: How do security teams know whether lateral movement controls are actually working?
A: They are working only if one compromised account cannot freely reach backup systems, administration interfaces, and sensitive file shares.
Practitioner guidance
- Harden every internet-facing identity path Inventory VPN, RDP, Citrix, and appliance portals, then remove any exposure that is not strictly required.
- Separate admin, backup, and recovery access Use distinct privileged accounts for administration, restoration, and infrastructure management.
- Track credential provenance and age Review whether exposed, purchased, inherited, or stale credentials still exist in production.
What's in the full article
Cybertrust Japan's full blog post covers the operational detail this post intentionally leaves for the source:
- The article breaks down the Qilin intrusion paths seen across recent incidents, including credential leakage, phishing, and exposed remote access.
- It maps the attacker’s common entry techniques to specific remote services and edge weaknesses such as VPN, RDP, Citrix, and appliance exposure.
- It lists representative vulnerabilities and access paths that Qilin affiliates have abused in real campaigns.
- It explains how to check whether your own environment shows the same compromise indicators or exposure patterns.
👉 Read Cybertrust Japan’s analysis of Qilin ransomware TTPs and identity exposure →
Qilin ransomware TTPs: where identity controls are breaking down?
Explore further
Credential exposure is the first governance failure, not a secondary control issue. Qilin’s access model shows that ransomware groups do not need sophisticated zero-day chains when exposed credentials and reachable services are already available. Identity programmes that focus on later-stage containment while leaving exposed authentication paths intact are defending the wrong boundary. The practitioner conclusion is simple: if credentials can be found, bought, or phished, the intrusion path is already open.
A few things that frame the scale:
- 85% of organisations lack full visibility into third-party vendors connected via OAuth apps, with 38% reporting no or low visibility and 47% only partial visibility, according to The State of Non-Human Identity Security.
- Only 1.5 out of 10 organisations are highly confident in their ability to secure NHIs, compared to nearly 1 in 4 for securing human identities, according to The State of Non-Human Identity Security.
A question worth separating out:
Q: Who is accountable when ransomware spreads through exposed identity paths?
A: Accountability sits across IAM, PAM, infrastructure, and vulnerability management because the problem crosses authentication, access design, and patching. If remote services remain reachable without strong control, ownership must be shared and explicit. Frameworks such as NIST CSF, NIST SP 800-53, and CIS Controls all expect clear responsibility for access and exposure management.
👉 Read our full editorial: Qilin ransomware’s common TTPs expose identity control gaps