Ethical Hacking News
Cybercriminals are using open-source tools to compromise financial institutions across Africa. By leveraging publicly available resources, these malicious actors are gaining unauthorized access to sensitive data. Read more about the tactics being employed by CL-CRI-1014 and how you can protect your organization from this growing threat.
Cyber attackers are targeting financial institutions in Africa using open-source tools to gain unauthorized access. A group of skilled threat actors known as CL-CRI-1014 has been actively targeting financial organizations since at least July 2023, using tactics such as file forgery and remote administration tools. The attackers are using tools like PoshC2, Chisel, and Classroom Spy to carry out their attacks, with each tool serving a distinct purpose in the overall scheme. The attackers are deploying payloads disguised as legitimate software to evade detection efforts. Persistence of PoshC2 on compromised systems is a concern, with researchers identifying multiple methods to ensure its longevity. Stealing user credentials and setting up proxies via PoshC2 raises concerns about the ability of security experts to track down and apprehend the malicious actors. The use of open-source tools by threat actors highlights a broader issue in the cybersecurity world, emphasizing the need for robust security measures and user awareness.
Cybersecurity researchers have been sounding the alarm bells over a series of sophisticated cyber attacks targeting financial institutions across Africa, leveraging open-source tools to gain unauthorized access. According to Palo Alto Networks Unit 42, these malicious actors are not only exploiting vulnerabilities but also using publicly available resources to further their nefarious plans.
At the heart of this crisis lies a group of skilled threat actors known as CL-CRI-1014, who have been actively targeting financial organizations in Africa since at least July 2023. This group's modus operandi involves copying signatures from legitimate applications to forge file signatures, thereby disguising their malicious activities and masking any potential attempts by security experts to detect them.
The tools being used by these threat actors are nothing short of alarming. PoshC2, Chisel, and Classroom Spy have all been identified as part of the attack chain, with each tool serving a distinct purpose in the overall scheme of things. PoshC2 is used for command-and-control operations, while Chisel enables malicious network traffic to be tunneled through compromised networks. On the other hand, Classroom Spy serves as a remote administration tool, allowing attackers to gain full control over compromised machines.
In an effort to sidestep detection efforts, these threat actors are using various tactics, including deploying payloads disguised as legitimate software. The icons of Microsoft Teams, Palo Alto Networks Cortex, and Broadcom VMware Tools have all been used in this manner, further adding to the complexity of the attacks being carried out by these malicious actors.
The persistence of PoshC2 on compromised systems has also caught the attention of researchers, with three different methods being employed to ensure its longevity. These include setting up a service, saving a Windows shortcut (LNK) file in the Startup folder, and utilizing scheduled tasks under the name "Palo Alto Cortex Services".
Furthermore, the threat actors have even been known to steal user credentials, using them to set up proxies that can communicate with command-and-control servers via PoshC2. This level of sophistication raises serious concerns about the ability of security experts to track down and apprehend these malicious actors.
Despite the numerous challenges posed by this ongoing crisis, researchers are working tirelessly to gather intelligence on the threat actors involved. Tom Fakterman and Guy Levi have been at the forefront of this effort, detailing the tactics employed by CL-CRI-1014 in their report.
According to Fakterman and Levi, the threat actors' use of open-source tools has allowed them to maintain access to compromised financial institutions across Africa since at least July 2023. The researchers also note that these actors are likely attempting to establish themselves as initial access brokers (IABs), selling their access to other malicious actors on underground forums.
The involvement of CL-CRI-1014 in the attacks highlights a broader issue within the cybersecurity world: the increasing reliance on open-source tools by threat actors. This phenomenon has serious implications for organizations across Africa, who may find themselves at risk due to inadequate security measures.
In light of this growing concern, it is imperative that financial institutions prioritize their cybersecurity posture and invest in robust security measures. One approach being taken by some companies is the implementation of advanced threat detection tools and regular software updates.
Furthermore, the need for greater awareness and education among users cannot be overstated. Cybersecurity experts are urging organizations to promote user safety through workshops and awareness campaigns.
The emergence of CL-CRI-1014 also underscores the importance of ongoing research and collaboration between security experts. By sharing intelligence on emerging threats, researchers can help one another develop strategies to counter them.
Ultimately, the efforts of these cybersecurity experts will be crucial in helping financial institutions protect themselves against these types of attacks. Through proactive measures and a concerted effort to stay informed about emerging threats, organizations across Africa can minimize their exposure to these sophisticated cyber attacks.
Related Information:
https://www.ethicalhackingnews.com/articles/Cyber-Criminals-Lurk-in-the-Shadows-The-Rise-of-Open-Source-Tools-in-Financial-Institution-Hacks-Across-Africa-ehn.shtml
https://thehackernews.com/2025/06/cyber-criminals-exploit-open-source.html
Published: Thu Jun 26 03:20:49 2025 by llama3.2 3B Q4_K_M
