Threat Update
A recently discovered threat group called “Karakurt” has compromised small and medium-sized organizations by deploying ransomware dedicated to exfiltrating their sensitive data and extorting them for money with threats to publicly release said data. The “Karakurt” ransomware uniquely does not encrypt the data and lock down systems. Instead, it silently performs data exfiltration. The threat actors appear to be using legitimate credentials, either stolen or purchased, to access an organization’s VPN. Such activity can result in the exposure of sensitive customer information and trade secrets, resulting in extensive damage to both revenue and reputation.
Technical Detail & Additional Information
What is The Threat?
A new threat group calling themselves “Karakurt” has been gaining notoriety after a string of attacks at the end of 2021, and at the start of 2022. This group focuses primarily on compromising organizations to exfiltrate privileged information and extort them, rather than deploying some manner of ransomware as a threat group normally might. The group does not target specific industry types or organizations but tends to target MSPs and SMBs. The threat actors aim to have a small footprint, preferring to quietly compromise and exfiltrate what they need to instead of making a public statement. Their modus operandi is to use legitimate VPN credentials, either phished or purchased, to gain access to the target network. When inside they will spread quietly by stealing passwords with tools such as Mimikatz and establishing persistence using applications such as Cobalt Strike (and more recently AnyDesk). Karakurt also tends to use tools that may already be available in the environment to exfiltrate sensitive data, including Filezilla, WinZip, 7Zip and Rclone. However, the group has been known to download these applications if they are not present. After a compromise, the group will attempt to privately contact their target through several channels, stating that they have exfiltrated sensitive data, provide proof, and demand payment. They also maintain a public website where this stolen data can be used to “name and shame” organizations that do not pay.
Why is it Noteworthy?
Unlike many other currently operating threat groups, Karakurt operates with little disruption and a primary focus on extortion and profit. Where a larger group might seek to make a statement by attacking large industries and popular names for notoriety and the subsequent large ransom they might earn, Karakurt instead quietly compromises what they can (most likely whomever they can get VPN credentials from) and seeks to exfiltrate data with as little noise as possible. Their preclusion to deploying ransomware even when given the opportunity is unusual, but does not make them any less of a threat.
What is the Exposure Risk?
Unlike a threat group that might deploy ransomware and irrecoverably damage an organization’s entire network by encrypting files and restricting access for legitimate users, the main risk of exposure from Karakurt is data exfiltration and extortion. If compromised, the sensitive files from an organization will be copied by the threat group and disseminated unless extortion is paid. If sensitive customer data or organizational information is made public, this can result in extreme damage to both the organizations’ reputation and any trade secrets they may be housing. Additionally, although the group may claim otherwise, it is not guaranteed that even in the event of a paid extortion that your files will be completely deleted and not used for further extortion or compromise.
What are the Recommendations?
We recommend the following actions to limit exposure to these and similar threats:
· Perform regular phishing awareness tests and train users to recognize the common signs of malicious emails to prevent the leaking of credentials.
· Disable RDP on any externally facing devices or systems, as it is one of the most common vectors of compromise.
· Implement a strong password policy, including industry standards for password length, complexity, and expiration dates for both human and non-human accounts (particularly service accounts, which may normally be exempt from such policies).
· Implement Multi Factor Authentication (MFA) wherever possible for authentication to corporate accounts, including remote access mechanisms and security tools. This ensure that even with legitimate credentials, any attacker will still be required to authenticate via MFA which is much more difficult.