Pierluigi Paganini
December 11, 2021
Accenture researchers detailed the activity of a sophisticated financially motivated threat actor called Karakurt. The activity of the group was first spotted in June 2021, but the group has been more active in Q3 2021.
In June 2021 the gang registered the domains hosting its leak sites, karakurt[.]group and karakurt[.]tech, while in August the group registered a Twitter account with the handle “karakurtlair.” .
The group focuses on data theft and extortion, but the researchers pointed out that it doesn’t use ransomware.
Between September 2021 and November 2021, the group hit over 40 victims across multiple industries.
The actors focus almost exclusively on data exfiltration and extortion and are not using ransomware to lock their victims’ files.
“Accenture Security has identified a new threat group, the self-proclaimed Karakurt Hacking Team, that has impacted over 40 victims across multiple geographies. The threat group is financially motivated, opportunistic in nature, and so far, appears to target smaller companies or corporate subsidiaries versus the alternative big game hunting approach.” reads the analysis published by Accenture. “Based on intrusion analysis to date, the threat group focuses solely on data exfiltration and subsequent extortion, rather than the more destructive ransomware deployment.”
Most of the known victims (95%) are based in North America, while the remaining 5% are in Europe.
The analysis of the attack chain associated with this threat actor revealed that it primarily leverages VPN credentials to gain initial access to the target’s network.
In the initial attacks, the group gained persistence by using the popular post-exploitation tool Cobalt Strike. In recent attacks, the group switched on VPN IP pool or AnyDesk software to establish persistence and avoid detection.
Once gained access to the target network, the group uses various tools to escalate privileges, including Mimikatz or PowerShell to steal ntds.dit that contains Active Directory data.
However, the threat group in most attacks escalated privileges using previously obtained credentials.
For data exfiltration the group has been seen utilizing 7zip and WinZip for compression, as well as Rclone or FileZilla (SFTP) to upload data to Mega.io cloud storage.
The report includes MITRE ATT&CK Tactics and techniques observed for this threat actor along with suggested mitigations,
Follow me on Twitter: @securityaffairs and Facebook
| [adrotate banner=”9″] | [adrotate banner=”12″] |
(SecurityAffairs – hacking, Karakurt)
[adrotate banner=”5″]
[adrotate banner=”13″]
