Accenture’s Cyber Investigations Forensics and Response (CIFR) team said in a report published on December 10 that the hacker group named Karakurt and was first identified in June 2021, is capable of modifying its tactics and techniques to adapt to the targeted environment.
CIFR team analyzed that , “ the threat group is focused on data exfiltration and subsequent extortion rather than the more destructive ransomware deployment. The threat group is financially motivated, opportunistic in nature and appears to target smaller companies or corporate subsidiaries versus the alternative big game hunting approach.”
- Karakurt[.]group and karakurt[.]tech – registered on June 5th, 2021.
- Twitter handle karakurtlair – created in August 2021.
- Karakurt known to be operational as early as September 2021, which is when components on its name and shame site were updated.
- First known victim based on Accenture Security’s collection sources and intrusion analysis – September 2021.
- First victim revealed on karakurt[.]group on November 17, 2021.
- First update to karakurt[.]group “News” page, with volumes 1 – 3 of the threat group’s “Autumn Data Leak Digest” on November 19, 2021.
- The fourth installment of “Autumn Data Leak Digest”, released on November 22, 2021.
Between September and November 2021, a previously undocumented, financially motivated threat group was linked to a string of data theft and extortion attacks on over 40 entities.
The majority of the known victims are from North America, with the remaining 5% from Europe. The most targeted market segments have been professional services, healthcare, industrial, retail, technology and entertainment.
Researchers reported that ,”The goal is to avoid drawing attention to its malicious activities as much as possible by relying on living off the land (LotL) techniques, in which attackers exploit legitimate software and functions available in a system, such as operating system components or installed software, to move laterally and exfiltrate data, rather than deploying post-exploitation tools like Cobalt Strike.
With ransomware attacks gaining global attention in the event of incidents targeting Colonial Pipeline, JBS and Kaseya, as well as the subsequent law enforcement actions that forced actors such as DarkSide, BlackMatter, and REvil to shut down their operations, Karakurt appears to be taking a different approach.
In addition to encrypting data at rest , organisations should enable multiple-factor authentication (MFA) to authenticate accounts, disable RDP on external-facing devices, and update infrastructure to the most recent versions to prevent adversaries from exploiting unpatched systems with publicly-known vulnerabilities.