Accenture researchers detailed the activity of a sophisticated financially motivated threat actor called Karakurt. The activity of the group was first spotted in June 2021, but the group has been more active in Q3 2021.
In June 2021 the gang registered the domains hosting its leak sites, karakurt[.]group and karakurt[.]tech, while in August the group registered a Twitter account with the handle “karakurtlair.” .
The group focuses on data theft and extortion, but the researchers pointed out that it doesn’t use ransomware.
Between September 2021 and November 2021, the group hit over 40 victims across multiple industries.
The actors focus almost exclusively on data exfiltration and extortion and are not using ransomware to lock their victims’ files.
“Accenture Security has identified a new threat group, the self-proclaimed Karakurt Hacking Team, that has impacted over 40 victims across multiple geographies. The threat group is financially motivated, opportunistic in nature, and so far, appears to target smaller companies or corporate subsidiaries versus the alternative big game hunting approach.” reads the analysis published by Accenture. “Based on intrusion analysis to date, the threat group focuses solely on data exfiltration and subsequent extortion, rather than the more destructive ransomware deployment.”
Most of the known victims (95%) are based in North America, while the remaining 5% are in Europe.
The analysis of the attack chain associated with this threat actor revealed that it primarily leverages VPN credentials to gain initial access to the target’s network.
In the initial attacks, the group gained persistence by using the popular post-exploitation tool Cobalt Strike. In recent attacks, the group switched on VPN IP pool or AnyDesk software to establish persistence and avoid detection.
Once gained access to the target network, the group uses various tools to escalate privileges, including Mimikatz or PowerShell to steal ntds.dit that contains Active Directory data.
However, the threat group in most attacks escalated privileges using previously obtained credentials.
For data exfiltration the group has been seen utilizing 7zip and WinZip for compression, as well as Rclone or FileZilla (SFTP) to upload data to Mega.io cloud storage.
The report includes MITRE ATT&CK Tactics and techniques observed for this threat actor along with suggested mitigations,
Follow me on Twitter: @securityaffairs and Facebook
[adrotate banner=”9″] | [adrotate banner=”12″] |
(SecurityAffairs – hacking, Karakurt)
[adrotate banner=”5″]
[adrotate banner=”13″]
Google addressed a Chrome's Password Manager bug that caused user credentials to disappear temporarily for…
The Internet Systems Consortium (ISC) released BIND security updates that fixed several remotely exploitable DoS…
Terrorist groups are increasingly using cyberspace and digital communication channels to plan and execute attacks.…
Progress Software addressed a critical remote code execution vulnerability, tracked as CVE-2024-6327, in the Telerik Report…
A critical flaw in some versions of Docker Engine can be exploited to bypass authorization…
The CVE-2024-21412 flaw in the Microsoft Defender SmartScreen has been exploited to deliver information stealers…
This website uses cookies.