CSO

FBI, CISA: Don't get caught in Karakurt's extortion web

Is this gang some sort of Conti side hustle? The answer may be yes


The Feds have warned organizations about a lesser-known extortion gang Karakurt, which demands ransoms as high as $13 million and, some cybersecurity folks say, may be linked to the notorious Conti crew.

In a joint advisory [PDF] this week, the FBI, CISA and US Treasury Department outlined technical details about how Karakurt operates, along with actions to take, indicators of compromise, and sample ransom notes. Here's a snippet:

FAQ: Who the hell are you? The Karakurt Team. Pretty skilled hackers I guess

The recommend steps to take to defend against the crew are: patch known vulnerabilities as a priority, train users to spot and report phishing attempts, and require multi-factor authentication to thwart the use of (say) stolen or guessed passwords.

Karakurt doesn't target any specific sectors or industries, and the gang's victims haven't had any of their documents encrypted and held to ransom.

Instead, the crooks claim to have stolen data, with screenshots or copies of exfiltrated files as proof, and they threaten to sell it or leak it publicly if they don't receive a payment. The US agencies say these demands range from $25,000 to $13 million in Bitcoin, and Karakurt typically sets a one-week deadline to pay up. 

The group used to operate a leak and auction website for exposing and selling victims' data, but that domain and IP address went offline earlier this spring. However, a dark-web site with several terabytes of supposed victims' data, along with press releases naming organizations that had not paid and instructions for buying victims' data resurfaced in May.

In addition to demanding payment, Karakurt, which is named after a type of black widow spider, likes to bully its victims by harassing their employees, business partners, and customers with emails and phone calls that aim to pressure the company into paying the ransom. 

The miscreants usually break into networks by either purchasing stolen login credentials; using third-party initial access brokers, which sell access to compromised systems; or by abusing security weaknesses in infrastructure.

Some of the vulnerabilities that the crooks exploit for initial access, according to the FBI and friends, include Log4Shell, multiple bugs in outdated SonicWall and Fortinet Fortigate VPN appliances, outdated Microsoft Windows Server instances, and then the usual email tricks such as phishing and malicious attachments.

Once they've obtained access to a system, Karakurt then deploys tools such as Cobalt Strike, Mimikatz, and AnyDesk to establish backdoors, pull credentials, elevate privileges, and move laterally within networks.

The Feds also noted Karakurt sometimes extorts victims of previous ransomware infections or even targets organizations already under attack by another crime group. "In such cases, Karakurt actors likely purchased or otherwise obtained previously stolen data," the agencies surmise about the former. 

And regarding the under-attack-by-multiple-gangs scenario: the US government suggested "Karakurt actors purchased access to a compromised system that was also sold to another ransomware actor."

Linked to Conti?

However, some private-sector security researchers have a different theory. In research published in April, they reported a "high degree of confidence that the Karakurt extortion group is operationally linked" to Conti. 

This analysis was conducted by three firms: Tetra Defense, an incident response team that SecOps provider Arctic Wolf acquired in February; blockchain firm Chainalysis; and threat intel company Northwave, another IR firm called in to work customers hit by the Karakurt crooks.

Both IR teams noted that the extortion gang used the exact same Cobalt Strike backdoor that Conti had used to drill into the victims' networks. "Such access could only be obtained through some sort of purchase, relationship, or surreptitiously gaining access to Conti group infrastructure," the threat researchers explained.

Other indicators include a common point of initial intrusion for Karakurt and Conti attacks (Fortinet SSL VPNs), and overlapping tools used for exfiltration: "a unique adversary choice to create and leave behind a file listing of exfiltrated data named file-tree.txt in the victim's environment as well as the repeated use of the same attacker hostname when remotely accessing victims' networks."

The security teams then called in Chainalysis, which helped analyze cryptocurrency transactions carried out by Conti and Karakurt and did, indeed, find a financial connection between the two. ®


Other stories you might like

  • Google battles bots, puts Workspace admins on alert
    No security alert fatigue here

    Google has added API security tools and Workspace (formerly G-Suite) admin alerts about potentially risky configuration changes such as super admin passwords resets.

    The API capabilities – aptly named "Advanced API Security" – are built on top of Apigee, the API management platform that the web giant bought for $625 million six years ago.

    As API data makes up an increasing amount of internet traffic – Cloudflare says more than 50 percent of all of the traffic it processes is API based, and it's growing twice as fast as traditional web traffic – API security becomes more important to enterprises. Malicious actors can use API calls to bypass network security measures and connect directly to backend systems or launch DDoS attacks.

    Continue reading
  • LGBTQ+ folks warned of dating app extortion scams
    Uncle Sam tells of crooks exploiting Pride Month

    The FTC is warning members of the LGBTQ+ community about online extortion via dating apps such as Grindr and Feeld.

    According to the American watchdog, a common scam involves a fraudster posing as a potential romantic partner on one of the apps. The cybercriminal sends explicit of a stranger photos while posing as them, and asks for similar ones in return from the mark. If the victim sends photos, the extortionist demands a payment – usually in the form of gift cards – or threatens to share the photos on the chat to the victim's family members, friends, or employer.

    Such sextortion scams have been going on for years in one form or another, even attempting to hit Reg hacks, and has led to suicides.

    Continue reading
  • Google: How we tackled this iPhone, Android spyware
    Watching people's every move and collecting their info – not on our watch, says web ads giant

    Spyware developed by Italian firm RCS Labs was used to target cellphones in Italy and Kazakhstan — in some cases with an assist from the victims' cellular network providers, according to Google's Threat Analysis Group (TAG).

    RCS Labs customers include law-enforcement agencies worldwide, according to the vendor's website. It's one of more than 30 outfits Google researchers are tracking that sell exploits or surveillance capabilities to government-backed groups. And we're told this particular spyware runs on both iOS and Android phones.

    We understand this particular campaign of espionage involving RCS's spyware was documented last week by Lookout, which dubbed the toolkit "Hermit." We're told it is potentially capable of spying on the victims' chat apps, camera and microphone, contacts book and calendars, browser, and clipboard, and beam that info back to base. It's said that Italian authorities have used this tool in tackling corruption cases, and the Kazakh government has had its hands on it, too.

    Continue reading
  • Capital One: Convicted techie got in via 'misconfigured' AWS buckets
    Assistant US attorney: 'She wanted data, she wanted money, and she wanted to brag'

    Updated A former Seattle tech worker has been convicted of wire fraud and computer intrusions in a US federal district court.

    The conviction follows the infamous 2019 hack of Capital One in which personal information of more than 100 million US and Canadian credit card applicants were swiped from the financial giant's misconfigured cloud-based storage.

    Paige Thompson (aka "erratic") was arrested in July 2019 after data was leaked between March and July of that year. The data was submitted by credit card hopefuls between 2005 and early 2019, and Thompson was able to get into Capital One's AWS storage thanks to a "misconfigured web application firewall."

    Continue reading

Biting the hand that feeds IT © 1998–2022