April 27, 2024

Researchers detailed the activity of a sophisticated financially motivated threat actor called Karakurt. The activity of the group was first spotted in June 2021, but the group has been more active in Q3 2021.

Advertisements

In June 2021 the gang registered the domains hosting its leak sites, karakurt[.]group and karakurt[.]tech, while in August the group registered a Twitter account with the handle “karakurtlair.” .

The group focuses on data theft and extortion, but the researchers pointed out that it doesn’t use ransomware. In 2021 be Q4 hit over 40 victims

The actors focus almost exclusively on data exfiltration and extortion and are not using ransomware to lock their victims’ files.Most of the known victims (95%) are based in North America, while the remaining 5% are in Europe.

The analysis of the attack chain associated with this threat actor revealed that it primarily leverages VPN credentials to gain initial access to the target’s network.

Advertisements

Initially, the group gained persistence by using the popular post exploit tool Cobalt Strike. In recent attacks, the group switched on VPN IP pool or AnyDesk software to establish persistence and avoid detection.

Once gained access to the target network, the group uses various tools to escalate privileges, including Mimikatz or PowerShell to steal ntds.dit that contains Active Directory data.

The threat group in most attacks escalated privileges using previously obtained credentials. For data exfiltration the group has been seen utilizing 7zip and WinZip for compression, as well as Rclone or FileZilla (SFTP) to upload data to Mega.io cloud storage.

Advertisements

Mitigation

  • Employ robust and routine user-awareness and training regimens for users of all systems.
  • Robust crisis management and incident response plan
  • Maintain best practices against malware, such as patching, updating anti-virus software, implementing strict network egress policies, and using application whitelisting.
  • Patch internal & external assets regularly.
  • Disable RDP on external-facing devices and restrict workstation-to-workstation RDP connections.
  • Employ a strong corporate password policy that includes industry standards for password length, complexity, and expiration dates for both human and non-human accounts.
  • Use MFA where possible for authentication and admin account restrictions.
  • Do not store unprotected credentials in files and scripts on shared locations.
  • Encrypt data at rest where possible and protect related keys and technology.
Tags:

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.

You may have missed

GitLab April 2024 Security Advisory – CVE-2024-2434

April 26, 2024

CISA KEV Update April 2024 – Part II

April 25, 2024

ArcaneDoor Exploits Cisco ASA and FTD

April 25, 2024

Google Fixes Critical Vulnerability in Chrome -CVE-2024-4058

April 24, 2024

Red Ransomware Victimized Targus

April 23, 2024

Oracle Virtual Box Vulnerability PoC Released – CVE-2024-21111

April 22, 2024

Discover more from TheCyberThrone

Subscribe now to keep reading and get access to the full archive.

Continue reading