[BreachExchange] FBI, CISA: Don't get caught in Karakurt's extortion web

Fri Jun 3 08:26:05 EDT 2022

https://www.theregister.com/2022/06/03/fbi_cisa_warn_karakurt_extortion/

The Feds have warned organizations about a lesser-known extortion gang
Karakurt, which demands ransoms as high as $13 million and, some
cybersecurity folks say, may be linked to the notorious Conti crew.

In a joint advisory [PDF] this week, the FBI, CISA and US Treasury
Department outlined technical details about how Karakurt operates, along
with actions to take, indicators of compromise, and sample ransom notes.
Here's a snippet:

The recommend steps to take to defend against the crew are: patch known
vulnerabilities as a priority, train users to spot and report phishing
attempts, and require multi-factor authentication to thwart the use of
(say) stolen or guessed passwords.

Karakurt doesn't target any specific sectors or industries, and the gang's
victims haven't had any of their documents encrypted and held to ransom.

Instead, the crooks claim to have stolen data, with screenshots or copies
of exfiltrated files as proof, and they threaten to sell it or leak it
publicly if they don't receive a payment. The US agencies say these demands
range from $25,000 to $13 million in Bitcoin, and Karakurt typically sets a
one-week deadline to pay up.

The group used to operate a leak and auction website for exposing and
selling victims' data, but that domain and IP address went offline earlier
this spring. However, a dark-web site with several terabytes of supposed
victims' data, along with press releases naming organizations that had not
paid and instructions for buying victims' data resurfaced in May.

In addition to demanding payment, Karakurt, which is named after a type of
black widow spider, likes to bully its victims by harassing their
employees, business partners, and customers with emails and phone calls
that aim to pressure the company into paying the ransom.

The miscreants usually break into networks by either purchasing stolen
login credentials; using third-party initial access brokers, which sell
access to compromised systems; or by abusing security weaknesses in
infrastructure.

Some of the vulnerabilities that the crooks exploit for initial access,
according to the FBI and friends, include Log4Shell, multiple bugs in
outdated SonicWall and Fortinet Fortigate VPN appliances, outdated
Microsoft Windows Server instances, and then the usual email tricks such as
phishing and malicious attachments.

Once they've obtained access to a system, Karakurt then deploys tools such
as Cobalt Strike, Mimikatz, and AnyDesk to establish backdoors, pull
credentials, elevate privileges, and move laterally within networks.

The Feds also noted Karakurt sometimes extorts victims of previous
ransomware infections or even targets organizations already under attack by
another crime group. "In such cases, Karakurt actors likely purchased or
otherwise obtained previously stolen data," the agencies surmise about the
former.

And regarding the under-attack-by-multiple-gangs scenario: the US
government suggested "Karakurt actors purchased access to a compromised
system that was also sold to another ransomware actor."

Linked to Conti?

However, some private-sector security researchers have a different theory.
In research published in April, they reported a "high degree of confidence
that the Karakurt extortion group is operationally linked" to Conti.

This analysis was conducted by three firms: Tetra Defense, an incident
response team that SecOps provider Arctic Wolf acquired in February;
blockchain firm Chainalysis; and threat intel company Northwave, another IR
firm called in to work customers hit by the Karakurt crooks.

Both IR teams noted that the extortion gang used the exact same Cobalt
Strike backdoor that Conti had used to drill into the victims' networks.
"Such access could only be obtained through some sort of purchase,
relationship, or surreptitiously gaining access to Conti group
infrastructure," the threat researchers explained.

Other indicators include a common point of initial intrusion for Karakurt
and Conti attacks (Fortinet SSL VPNs), and overlapping tools used for
exfiltration: "a unique adversary choice to create and leave behind a file
listing of exfiltrated data named file-tree.txt in the victim's environment
as well as the repeated use of the same attacker hostname when remotely
accessing victims' networks."

The security teams then called in Chainalysis, which helped analyze
cryptocurrency transactions carried out by Conti and Karakurt and did,
indeed, find a financial connection between the two. ®
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20220603/f1ae2e7c/attachment.html>