A sophisticated cybercriminal operation, identified as CL-CRI-1014, has been targeting Africa’s financial sector by repurposing legitimate open-source penetration testing tools to gain and maintain unauthorized access to banking networks. This campaign underscores a growing trend where threat actors exploit dual-use security tools, originally designed for ethical hacking and system administration, to conduct malicious activities.
The Tools in Play
The attackers have strategically employed several open-source tools to facilitate their operations:
– PoshC2: An open-source post-exploitation framework designed for red team operations, PoshC2 has been adapted by the attackers to serve as both a command and control (C2) framework and a proxy mechanism. By customizing PoshC2’s network communication modules, the threat actors have implemented environment-specific proxy configurations that leverage compromised credentials from targeted networks.
– Chisel: A fast TCP/UDP tunnel over HTTP, Chisel is typically used for secure network tunneling. In this campaign, it has been utilized to create covert communication channels, allowing the attackers to bypass network security controls and maintain persistent access to compromised systems.
– Classroom Spy: Originally intended for monitoring and managing classroom computers, Classroom Spy has been repurposed as a remote administration tool. The attackers have replaced previous tools like MeshAgent with Classroom Spy to enhance their remote control capabilities over infected machines.
Tactics and Techniques
The operational sophistication of CL-CRI-1014 is evident in their methodical approach to infiltrating and navigating through targeted networks:
– Initial Access and Lateral Movement: The attackers employ various techniques to gain initial access, including exploiting vulnerabilities in internet-facing devices and using social engineering tactics. Once inside, they utilize tools like PsExec for lateral movement, creating remote services, and executing commands through Distributed Component Object Model (DCOM) to spread across the network.
– Evasion and Persistence: To evade detection, the threat actors sign their malicious code with stolen certificates and disguise executables with icons and metadata from trusted software vendors. They also implement multiple persistence mechanisms, such as configuring proxies and modifying system settings, to ensure continued access even if some entry points are discovered and closed.
– Credential Harvesting and Network Reconnaissance: Extensive reconnaissance is conducted to map out the network architecture and identify valuable assets. The attackers harvest credentials to escalate privileges and access sensitive information, customizing payload configurations with hard-coded internal IP addresses and stolen credentials tailored to each target environment.
Implications for the Financial Sector
The use of legitimate open-source tools in this campaign presents significant challenges for detection and mitigation. Security teams may overlook activities associated with these tools, mistaking them for normal administrative tasks. This blending of malicious actions with legitimate operations complicates the identification of unauthorized access and the implementation of effective countermeasures.
Recommendations for Defense
To defend against such sophisticated attacks, organizations should consider the following measures:
1. Enhanced Monitoring: Implement advanced monitoring solutions capable of detecting anomalies associated with the misuse of legitimate tools. Behavioral analysis can help identify unusual patterns indicative of malicious activity.
2. Regular Audits: Conduct frequent audits of network configurations and access controls to identify and remediate potential vulnerabilities that could be exploited by attackers.
3. Employee Training: Educate staff on the risks of social engineering and the importance of maintaining strong, unique passwords to prevent credential harvesting.
4. Incident Response Planning: Develop and regularly update incident response plans to ensure swift action can be taken in the event of a security breach, minimizing potential damage.
By understanding the tactics employed by threat actors like CL-CRI-1014 and implementing robust security measures, financial institutions can better protect themselves against the evolving landscape of cyber threats.
