Rising Cyber Threats to Financial Institutions in Africa
An Ongoing Wave of Cyber Attacks
Cybersecurity experts are increasingly highlighting a troubling series of cyber attacks targeting financial institutions across Africa. These attacks have been active since at least July 2023, using a combination of open-source and publicly available tools to maintain persistent access to compromised networks.
Tracking the Threat: CL-CRI-1014
Known by the moniker CL-CRI-1014, this cyber threat is categorized by Palo Alto Networks’ Unit 42. The name indicates a "cluster" of criminal activity, with "CRI" symbolizing the underlying criminal motives associated with these attacks.
The Goals of the Attacks
The principal aim behind these malicious operations is believed to be securing initial access to networks, which is then sold to other criminal entities on underground forums. This makes the perpetrators Initial Access Brokers (IAB), positioning them to profit from their illicit endeavors.
Tactics and Techniques Used by Threat Actors
Researchers Tom Fakterman and Guy Levi have observed that these threat actors employ several deceptive strategies to mask their true intentions. Specifically, they replicate file signatures from reputable applications, thereby camouflaging their tools to evade detection. "Threat actors often spoof legitimate products for malicious purposes," they explained, illuminating a concerning trend in cybercrime.
Tools of the Trade
The attacks are characterized by the utilization of several key tools. These include:
- PoshC2 for establishing command-and-control (C2) connections.
- Chisel for tunneling malicious network traffic.
- Classroom Spy for remote administration and surveillance.
While the specific entry methods used by these attackers remain somewhat obscure, once a foothold in the network is attained, the attackers typically deploy MeshCentral Agent and later Classroom Spy to exert control over infected machines. Chisel is then used to bypass firewalls, ultimately facilitating the spread of PoshC2 to additional Windows hosts within the compromised network.
Evasion Techniques
In their efforts to evade detection, these attackers disguise their payloads as legitimate software, often utilizing icons from trusted applications such as Microsoft Teams, Palo Alto Networks Cortex, and Broadcom VMware Tools. They establish persistence on compromised systems through multiple methods, including:
- Setting up a service.
- Creating a Windows shortcut (LNK) file to launch the tool from the Startup folder.
- Scheduling a task under the name “Palo Alto Cortex Services.”
Credential Theft and Proxy Setup
In various cases, researchers have noted that cybercriminals have stolen user credentials to establish a proxy using PoshC2. This allows them to communicate more securely with the C2 server. "PoshC2 can use a proxy to communicate with a command-and-control (C2) server," the researchers remarked, indicating a tailored approach by the threat actors for specific targets.
Previous Incidents Involving PoshC2
This isn’t the first instance of PoshC2 being leveraged against financial institutions in Africa. In September 2022, Check Point reported on a spear-phishing campaign dubbed DangerousSavanna. This operation targeted financial and insurance companies across several African nations, distributing tools like Metasploit, PoshC2, and AsyncRAT.
The Emergence of New Ransomware Groups
As these cyber threats evolve, Trustwave SpiderLabs recently identified a new ransomware group named Dire Wolf, which has already compromised 16 victims across various countries, including the U.S., Australia, and Singapore. This group primarily targets sectors such as technology, manufacturing, and financial services.
The Nature of Dire Wolf Ransomware
Analysis of the Dire Wolf ransomware shows it is developed in Golang and possesses capabilities to disable system logging and terminate critical services, as well as applications, potentially hindering recovery efforts by deleting shadow copies. "While the techniques used by Dire Wolf for initial access and lateral movements are currently unknown, organizations should adhere to good security practices and monitor for the techniques identified in this analysis," the cybersecurity firm advised.
Conclusion
As cyber threats targeted at financial organizations in Africa continue to evolve, staying vigilant and implementing robust cybersecurity measures remains paramount. By understanding the tactics and motivations behind these attacks, institutions can better prepare to defend against them while securing their operations in a turbulent digital landscape.
