Cybercriminals Utilize Open-Source Tools to Target Financial Institutions in Africa

Jun 26, 2025
Threat Intelligence / Ransomware

Cybersecurity experts are highlighting a wave of cyberattacks aimed at financial institutions across Africa, dating back to at least July 2023. These attacks leverage a combination of open-source and publicly available tools to sustain access. Researchers from Palo Alto Networks’ Unit 42 are monitoring this activity under the label CL-CRI-1014, where “CL” stands for “cluster” and “CRI” signifies “criminal motivation.” The primary objective appears to be gaining initial access to systems, which is then sold to other criminal actors in underground forums, effectively turning the threat actor into an initial access broker (IAB). “The threat actor mimics signatures from legitimate applications to create forged file signatures, camouflaging their toolset and concealing malicious activities,” noted researchers Tom Fakterman and Guy Levi. “Threat actors frequently spoof legitimate products for illicit purposes.” The attacks are marked by the use of tools such as PoshC2 and others.

Cyber Criminals Utilize Open-Source Tools to Target African Financial Institutions

June 26, 2025
Threat Intelligence / Ransomware

Recent investigations have revealed a troubling trend of cyber attacks aimed at financial institutions across Africa, with reports indicating that this wave of attacks began as early as July 2023. Cybersecurity experts at Palo Alto Networks’ Unit 42 have identified these incidents under the designation CL-CRI-1014. Within this designation, “CL” stands for “cluster,” while “CRI” refers to the “criminal motivation” behind these activities. The primary objective of these attacks appears to be the initial access of systems, which attackers then sell to other criminal entities on underground marketplaces, thus operating as initial access brokers (IABs).

The methods employed in these attacks highlight the sophistication of the threat actors. Researchers Tom Fakterman and Guy Levi observed that these perpetrators often forge signatures from legitimate applications to disguise their tools. This technique allows them to mask their operations, enhancing their ability to evade detection. The exploitation of authentic product signatures illustrates a common tactic employed by malicious actors to obscure their malicious intentions while leveraging publicly available resources.

The attack methodology has involved the deployment of various open-source tools, with one notable example being PoshC2, known for its capabilities in command-and-control operations. Such tools provide the attackers with a strategic advantage, allowing for persistent access to targeted networks and the ability to execute a range of malicious actions. The nature of these actions can include information theft, data manipulation, and further exploitation of the compromised systems.

Targets of these cyber attacks have primarily included financial institutions, which are particularly enticing to cybercriminals due to the sensitive data they process and their financial assets. The implications of these breaches not only affect the direct targets but also pose risks to customers and the broader financial ecosystem within the affected countries. By infiltrating these institutions, attackers aim to extract confidential information and, ultimately, financial gain.

In terms of tactical frameworks, the strategies seen in these attacks align with several tactics defined in the MITRE ATT&CK Matrix. Initial access techniques likely include spear phishing and exploitation of software vulnerabilities, while persistence is maintained through implanted backdoors and scheduled tasks. Additionally, privilege escalation techniques may enable attackers to assume greater control over compromised systems.

Organizations exposed to these threats are urged to adopt comprehensive cybersecurity measures and to remain vigilant in monitoring their systems for unusual activities that may indicate compromise. The increasing sophistication of cybercriminals leveraging open-source tools serves as a stark reminder of the evolving landscape of cybersecurity threats. As attacks continue to evolve, a proactive stance is essential in safeguarding sensitive information and maintaining operational integrity.

Source link

Related Posts

“Scattered Spider Linked to Cyberattacks on M&S and Co-op, Resulting in Up to $592M in Damages”

June 21, 2025
Cyber Attack / Critical Infrastructure

The April 2025 cyberattacks on U.K. retailers Marks & Spencer and Co-op have been deemed a “single combined cyber event” by the Cyber Monitoring Centre (CMC), an independent non-profit organization established by the insurance industry to assess significant cyber incidents. The CMC noted, “Given that one threat actor claimed responsibility for both M&S and Co-op, along with their close timing and the similar tactics, techniques, and procedures (TTPs), we have classified these incidents as a single combined cyber event.” These disruptions have been categorized as a “Category 2 systemic event,” with estimated financial repercussions ranging from £270 million ($363 million) to £440 million ($592 million). However, the cyberattack on Harrods, occurring around the same period, has not been included due to insufficient information regarding its cause.

DHS Issues Warning: Potential Cyber Attacks from Pro-Iranian Hackers Following U.S. Airstrikes on Iranian Nuclear Sites

June 23, 2025
Hacktivism / Cyber Warfare

The U.S. government has issued a warning regarding possible cyber attacks from pro-Iranian groups in response to airstrikes on Iranian nuclear facilities, a key development in the ongoing Iran–Israel conflict that began on June 13, 2025. The Department of Homeland Security (DHS) highlighted a “heightened threat environment,” indicating that cyber actors are poised to target U.S. networks.

According to the DHS bulletin, “Low-level cyber attacks against U.S. networks by pro-Iranian hacktivists are likely, and actors linked to the Iranian government may also initiate attacks.” The department emphasized that both hacktivists and Iranian state-affiliated actors frequently exploit inadequately secured U.S. networks and internet-connected devices for disruptive cyber operations. This alert follows President Donald Trump’s announcement of U.S. military airstrikes on three Iranian nuclear sites at Fordo, Natanz, and…