Karakurt: Another Threat Actor Group on the Cyberthreat Landscape
Its Main Focus Is Data Exfiltration.
Accenture’s team of researchers has identified a threat actor group dubbed Karakurt, as the group calls itself. The hacking gang was first discovered during the month of June this year. Its modus operandi changes depending on the environment it targets, as the researchers say.
A previously unconfirmed, financially motivated threat group operating under the self-proclaimed name, “Karakurt” started ramping up attacks late in the third quarter of 2021 and continued into the fourth quarter. The presence of Karakurt was first identified in June 2021 as it registered its apparent dump-site domains: karakurt[.]group and karakurt[.]tech, followed by their Twitter handle “karakurtlair” in August 2021. Accenture Security first observed Karakurt intrusion clusters in September 2021, when multiple sightings occurred within a short timeframe. The threat group has claimed to have impacted over 40 victims across multiple industries between September 2021 and November 2021.
Karakurt and Its Tactics
The researchers described how this new threat actor group named Karakurt uses to operate:
- its motivation has a financial nature;
- it uses Lotl techniques (living off the land) to avoid being observed;
- it uses to target and abuse legitimate software;
- the malicious actors also can abuse system functions as the components of the OS or the installed software;
- the abuse of legitimate software and system functions allows data exfiltration and lateral movement across the targeted network.
What is interesting about this group is that they do not use usual ransomware deployment techniques, so rather than dropping ransomware payloads after initially gaining access to the affected network, it was noticed that the malicious group has its focus almost exclusively on two areas: data exfiltration and then victims’ extortion. This way, the business will not interrupt the operational process and they can still ask for a “ransom” to return the data they stole.
What Industries Were Impacted?
The research revealed that small businesses and corporate subsidiaries are targeted by Karakurt: with 5% victims from Europe and 95 % victims from North America. The most targeted industries have been healthcare, professional services, and the industrial sector along with industries like entertainment verticals or technology.
How Can Heimdal™ Help?
Heimdal™ is always prepared with the best tools to make you a winner in the fight against cybercrime. Use an automated Privileged and Access Management Tool to monitor privileged accounts and prevent insider and external threats and pair it with Application Control that helps you have your own list of whitelisted and blacklisted applications, a granular approach to cybersecurity that works particularly on data exfiltration prevention as the access of applications running on your machines is restricted.
An automated Patch and Asset Management Tool will help you keep your software updated in an efficient way, as in less than 4 hours you have the latest released patches ready to be deployed within your system.
The list can go on, but you’ve got the point. A proper cybersecurity stance starts with prevention, so get the right tools and keep the data exfiltration attempts away!