[ad_1]
A classy cybercrime group who has been quietly working from the shadows has had its techniques and procedures uncovered by researchers who tracked current cyberattacks carried out by the hackers.
The hacking group calls itself ‘Karakurt’ and is a financially motivated risk actor that has ramped up its cyber-attacks in Q3 2021.
The primary indicators of Karakurt exercise had been recognized in June 2021, with the registration of two domains and the creation of a Twitter deal with.
Karakurt exercise timelineSource: Accenture
The actors focus virtually completely on information exfiltration and extortion and usually are not utilizing ransomware to lock their victims’ information.
The report on Karakurt comes from researchers at Accenture Safety, who managed to trace the group’s “residing off the land” techniques, toolset, and intrusion methods.
The risk group claims to have compromised over 40 victims between September and November 2021 and has posted downloadable stolen file packs on its websites.
Karakurt web site promoting stolen filesSource: Accenture
Roughly 95% of those victims are based mostly in North America, whereas the remainder are European entities. Karakurt is not centered on a selected business, so the victimology seems random.
Karakurt victims by sectorSource: Accenture
Entry, escalation, and exfiltration
The actor primarily makes use of VPN credentials to achieve preliminary entry to a sufferer’s community, both by sourcing them from sellers or phishing them themselves.
The persistence is established by dropping the broadly abused Cobalt Strike distant entry software, though, in current assaults, Karakurt switched to utilizing AnyDesk.
With Cobalt Strike beacons turning into extra aggressively detected by safety software program, AnyDesk has change into more and more widespread amongst risk actors, such because the Conti ransomware gang.
Subsequent, the actor steals extra credentials belonging to directors by using Mimikatz and makes use of them for undetectable privilege escalation.
“In a single intrusion, Accenture Safety additionally noticed the risk group avoiding using frequent post-exploitation instruments or commodity malware in favor of credential entry,” defined the report by Accenture.
“This strategy enabled it to evade detection and bypass safety instruments resembling frequent endpoint detection and response (EDR) options.”
For the exfiltration of the information, Karakurt makes use of 7zip and WinZip to compress the information after which sends every part to Mega.io through Rclone or FileZilla.
Encryption-less assaults
Whereas these assaults seem much less damaging in comparison with ransomware infections that encrypt information and wipe backups, they will nonetheless be fairly detrimental.
Threatening publishing stolen information can convey an organization to its knees even when its operational standing is left unruffled, with much less overhead concerned in conducting assaults.
Because of this, new hacking teams like SnapMC are focusing solely on information exfiltration and extortion as their risk mannequin.
Nevertheless, paying a ransom would not assure that risk actors will wipe stolen information or that it will not be bought to others, so it’s by no means clever to pay a ransom solely to forestall an information breach.
As an alternative, organizations ought to deal with protection, prevention, and detection measures to maintain these threats off their networks.
[ad_2]