New ‘Karakurt’ hacking group focuses on knowledge theft and extortion

A complicated cybercrime group who has been quietly working from the shadows has had its techniques and procedures uncovered by researchers who tracked latest cyberattacks performed by the hackers.

The hacking group calls itself ‘Karakurt’ and is a financially motivated risk actor that has ramped up its cyber-attacks in Q3 2021.

The primary indicators of Karakurt exercise have been recognized in June 2021, with the registration of two domains and the creation of a Twitter deal with.

The actors focus nearly solely on knowledge exfiltration and extortion and should not utilizing ransomware to lock their victims’ recordsdata.

The report on Karakurt comes from researchers at Accenture Safety, who managed to trace the group’s “residing off the land” techniques, toolset, and intrusion methods.

The risk group claims to have compromised over 40 victims between September and November 2021 and has posted downloadable stolen file packs on its websites.

Roughly 95% of those victims are based mostly in North America, whereas the remainder are European entities. Karakurt is not centered on a specific business, so the victimology seems random.

Entry, escalation, and exfiltration

The actor primarily makes use of VPN credentials to achieve preliminary entry to a sufferer’s community, both by sourcing them from sellers or phishing them themselves.

The persistence is established by dropping the broadly abused Cobalt Strike distant entry instrument, though, in latest assaults, Karakurt switched to utilizing AnyDesk. 

With Cobalt Strike beacons changing into extra aggressively detected by safety software program, AnyDesk has turn into more and more widespread amongst risk actors, such because the Conti ransomware gang.

Subsequent, the actor steals extra credentials belonging to directors by using Mimikatz and makes use of them for undetectable privilege escalation.

“In a single intrusion, Accenture Safety additionally noticed the risk group avoiding using widespread post-exploitation instruments or commodity malware in favor of credential entry,” defined the report by Accenture.

“This method enabled it to evade detection and bypass safety instruments equivalent to widespread endpoint detection and response (EDR) options.”

For the exfiltration of the info, Karakurt makes use of 7zip and WinZip to compress the recordsdata after which sends all the things to Mega.io through Rclone or FileZilla.

Encryption-less assaults

Whereas these assaults seem much less damaging in comparison with ransomware infections that encrypt knowledge and wipe backups, they’ll nonetheless be fairly detrimental.

Threatening publishing stolen recordsdata can carry an organization to its knees even when its operational standing is left unruffled, with much less overhead concerned in conducting assaults.

For that reason, new hacking teams like SnapMC are focusing solely on knowledge exfiltration and extortion as their risk mannequin.

Nevertheless, paying a ransom would not assure that risk actors will wipe stolen knowledge or that it will not be offered to others, so it’s by no means sensible to pay a ransom solely to stop a knowledge breach.

As a substitute, organizations ought to deal with protection, prevention, and detection measures to maintain these threats off their networks.