CyberWire Daily - The rise of Karakurt Hacking Team.
Episode Date: January 8, 2022Guest Rob Boyce, Accenture's Global Lead for Cyber Incident Response and Transformation Services, joins Dave to discuss their research "Karakurt rises from its lair." Accenture Security has identified... a new threat group, the self-proclaimed Karakurt Hacking Team, that has impacted over 40 victims across multiple geographies. The threat group is financially motivated, opportunistic in nature, and so far, appears to target smaller companies or corporate subsidiaries versus the alternative big game hunting approach. Based on intrusion analysis to date, the threat group focuses solely on data exfiltration and subsequent extortion, rather than the more destructive ransomware deployment. In addition, Accenture Security assesses with moderate-to-high confidence that the threat group’s extortion approach includes steps to avoid, as much as possible, drawing attention to its activities. The research can be found here: Karakurt rises from its lair Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K. data products platform comes in. With Domo, you can channel AI and data into innovative uses that
deliver measurable impact. Secure AI agents connect, prepare, and automate your data workflows,
helping you gain insights, receive alerts, and act with ease through guided apps tailored to
your role. Data is hard. Domo is easy. Learn more at ai.domo.com.
That's ai.domo.com.
Hello, everyone, and welcome to the CyberWire's Research Saturday.
I'm Dave Bittner, and this is our weekly conversation with researchers and analysts
tracking down threats and vulnerabilities,
solving some of the hard problems of protecting ourselves in a rapidly evolving cyberspace.
Thanks for joining us.
So we had stumbled upon this threat actor team in September
when we saw a number of very similar tactics being used,
which were very different than what we were used to
if we were just coming off the ransomware wave,
where they were behaving differently.
That's Robert Boyce.
He's global lead of cyber incident response
and transformation services at Accenture Security.
The research we're discussing today is titled,
Karakurt Rises from its Lair.
And now, a message from our sponsor, Zscaler, the leader in cloud security.
Enterprises have spent billions of dollars on firewalls and VPNs,
yet breaches continue to rise by an 18% year-over-year increase in ransomware attacks
and a $75 million record payout in 2024.
These traditional security tools expand your attack surface with public-facing
IPs that are exploited by bad actors more easily than ever with AI tools. It's time to rethink your
security. Zscaler Zero Trust plus AI stops attackers by hiding your attack surface, making
apps and IPs invisible, eliminating lateral movement, connecting users only to specific apps, not the entire network,
continuously verifying every request based on identity and context,
simplifying security management with AI-powered automation,
and detecting threats using AI to analyze over 500 billion daily transactions.
Hackers can't attack what they can't see.
Protect your organization with Zscaler Zero Trust and AI.
Learn more at zscaler.com slash security.
And we just started to put some pieces together as we were doing our investigations, global coordination, and we found there was a lot of similarities.
And so we just started digging into it a little bit more.
And then, of course, we uncovered Karakor as their self-proclaimed name and just started seeing some really interesting tactics that this group was using, which was very different than some of the traditional ransomware threat actors.
So what are some of the things that set Karakurt apart?
So a couple of things that we find very interesting. This group tries to limit the
use of malware as much as possible, and they're not really in the business of destructive events.
They're really more in there to quickly get in and extort data and then extort the victims with the data theft as opposed to launching a ransomware attack and causing business disruption.
Any speculation on who is behind this?
No, it's really interesting. We haven't had enough intelligence yet to be able to really do attribution more than what their own self-proclaimed name is and some of the tactics that they've been using.
And who do they seem to be targeting here?
Yeah, so they're targeting more of the small to medium-sized businesses or subsidiaries to large enterprises.
They're not really going after the big game hunting that we've seen some other threat groups go after.
And so suppose you find yourself falling victim to these folks.
By what means are they getting into your organization?
Yeah, so they're getting in really through credentials.
And we don't yet have enough intelligence to know how they're obtaining the credentials,
but they're leveraging credentials through VPN access, almost exclusively of what we've seen so far, at least the cases that we
have worked. And of course, all of those VPN devices do not have two-factor authentication
installed. So it's making it quite easy for them to be successful in their initial intrusion.
So they get in, as you said, they get in, they get the data that they want to grab,
they get out.
What happens next?
Well, then they start reaching out to the victims and start pressuring them, extorting them for not disclosing the data.
And what's also interesting about these guys is that they contact the victim in multiple ways.
multiple ways, right? So they will, of course, leave the evidence on a machine, or they will reach out via email, or they may even go back in and remind them, you know, we've actually seen
them even leave a note file on a desktop that says your EDR will not save you. So they really
try and apply a lot of pressure to the victims through, you know, multiple forms of communication.
And do they seem to be having success here? Has there been any way to
track whether people are making payments? It's hard to say. I mean, they've mentioned that they've,
on their site, compromised over 40 victims and growing. And they have been disclosing,
you know, following through with their threat of disclosing data for victims who haven't been
paying. So we've seen that. So you could probably do some simple math
of taking a look of how many victims they say they've had
and how many disclosures they've had
and maybe have a rough idea
of how many people may be paying them,
but we haven't done that analysis.
What level of sophistication do you suppose
we're dealing with with this particular group?
Yeah, it's hard to say.
They're really in it for the short-term wins.
And so, as I said, they're leveraging known credentials,
targeting vulnerable systems
that don't have the added protection of two-factor.
They're using a lot of really living off the land techniques
to try and avoid detection.
So as I was mentioning before,
they're not really looking at leveraging known malware.
We have seen them use Cobalt Strike.
We have seen them use Mimikatz, but it's more in an instance of maybe when they get stuck,
because they're trying to leverage their, you know, the credentials and the applications that
are available to them inside the organization to move laterally and to then execute their mission
of exfiltrating data. So it's really hard to say the sophistication of the team because they're using
such basic methods to be successful. And so what are your recommendations then for organizations
to best protect themselves? Yeah, this is a funny one. It's something we've been saying for, I don't
know, 20 years at least. You know, patcher systems that turn on two-factor authentication, you know,
just the basic security IT hygiene would really help organizations avoid a visit from this threat actor for sure.
And as we were saying earlier, they are targeting small to medium-sized organizations, which probably often overlook these very basic security protocols.
Yeah, it really seems like they're an opportunistic group.
Yeah, it really seems like they're an opportunistic group. Yeah, absolutely.
It's really interesting, the difference of when we were just before this happened.
Because we saw them stand themselves up in June, start registering their domains, get their social media ready in August.
And then really we started seeing a cluster of activity in September moving forward to the end of the year.
Even this morning, I received another notification from my client looking for help for this exact team.
But prior to that, we were dealing with these larger destructive events that were making a lot
of media headlines. And it seems that this team has really tried to avoid, not like play it under
the radar, but also avoid attribution, right? And I think
there's a couple of reasons for that. You know, these are, you know, best guesses. But, you know,
as we saw the large ransomware events early in the year, we started seeing a lot more law
enforcement engagement. And that law enforcement engagement, of course, led to some of the OFAC
sanctions and having some threat actors on that list. And when this team avoids malware and
doesn't use malware, it's much harder for us to be able to perform attribution, right? And it also
takes a target off their back when they're not having business disruption from being targeted
by law enforcement. And of course, it makes it easier for the victims to pay if they don't appear
on the OFAC list or if we're not able to provide attribution to them to determine that they would be on the OFAC list. So, you know, it's a really interesting tactic.
like nuisanceware, you know, where it's not terribly destructive. It's a bit of a time suck. It's not going to be cripplingly expensive. So, you know, you pay your fee and everybody goes on
with life. Yeah, correct. And I think their success, to me, we're starting to see a couple
more groups emerge. They're taking some very similar tactics. So I think they're starting
to set a bit of a standard for an alternate way to
be able to get financial gain in this space without having to cause the business disruption
and get all the attention that some of the other bigger, some of the big game hunters we've seen Our thanks to Accenture Security's Robert Boyce for joining us.
The research is titled, Caracurt Rises from Its Lair.
We'll have a link in the show notes.
And now, a message from Black Cloak.
Did you know the easiest way for cybercriminals to bypass your company's defenses And now, a message from Black Cloak.
Did you know the easiest way for cybercriminals to bypass your company's defenses is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform
secures their personal devices, home networks, and connected lives.
Because when executives are compromised at home, your company is at risk. In fact, over one-third of new members discover they've already been
breached. Protect your executives and their families 24-7, 365, with Black Cloak.
Learn more at blackcloak.io.
The CyberWire Research Saturday is proudly produced in Maryland
out of the startup studios of DataTribe,
where they're co-building the next generation of cybersecurity teams and technologies.
Our amazing CyberWire team is Elliot Peltzman,
Trey Hester, Brandon Karp, Eliana White,
Puru Prakash, Justin Sabey, Tim Nodar,
Joe Kerrigan, Kirill Terrio, Ben Yellen, Nick Valecki, Gina
Johnson, Bennett Moe, Chris Russell, John Petrick, Jennifer Iben, Rick Howard, Peter Kilpie, and I'm
Dave Bittner. Thanks for listening. We'll see you back here next week.