An undocumented, financially motivated threat group was previously connected to a string of data-stealing and extortion attacks on more than 40 entities between September and November 2019. 2021.
The hacker group, whose name is self-proclaimed Karakurt and was first identified in June 2021, has the ability to modify its tactics and techniques to adapt to the targeted environment, the Investigative, Forensic and Response (CIFR) team of Accenture said in a report published on December 10.
“The threat group is financially motivated, opportunistic in nature and, to date, appears to target smaller companies or corporate subsidiaries rather than a hunting approach,” said the CIFR team. find the big game instead”. “Based on the penetration analysis to date, the threat team is focused solely on data infiltration and subsequent extortion, rather than deploying ransomware more destructive in nature.”
95% of known victims live in North America, while the remaining 5% are in Europe. Professional services, healthcare, industrial, retail, technology and entertainment verticals were most targeted.
The goal, the researchers note, is to avoid drawing attention to its malicious activities as much as possible by relying on land-based living (LotL) techniques, in which attackers abuse use legitimate software and functionality available in a system, such as operating system components or installed software, to move data horizontally and filter out, as opposed to implementing post-mining tools like Cobalt Strike.
With ransomware attacks gaining worldwide attention following the incident targeting Colonial Pipeline, JBS, and Kaseya, as well as subsequent law enforcement actions, actors such as DarkSide, BlackMatter, and REvil have to stop works, Karakurt seems to be trying differently.
Instead of deploying the ransomware after gaining initial access to the victim’s internet system through a legitimate VPN login, the attacker has mostly focused on infiltrating and extorting data, a The modus operandi is less likely to bring the target’s business to a standstill but still allows Karakurt to demand a “ransom” in return for the stolen information.
In addition to encrypting data wherever applicable, organizations should enable multi-factor authentication (MFA) for account authentication, disable RDP on external devices, and update infrastructure. upgrade to the latest version to prevent adversaries from publicly exploiting unpatched systems – known vulnerabilities.