Security researchers tracking the CL-CRI-1014 campaign have observed a series of cyberattacks against African financial organizations since mid-2023. The threat actors rely on open-source and publicly available tools, including PoshC2 for command-and-control operations, Chisel for tunneling malicious network traffic, and Classroom Spy for remote administration.
Attackers disguise their malicious payloads by forging file signatures and using the icons of legitimate software such as Microsoft Teams, Palo Alto Networks Cortex, and Broadcom VMware Tools, making detection more difficult.
How Do Attackers Establish and Maintain Persistent Access
Once initial access is gained, the attackers deploy MeshCentral Agent and later Classroom Spy to take control of compromised machines. Chisel is used to bypass firewalls and spread PoshC2 to other Windows hosts within the network. To ensure persistence, attackers set up services, place shortcut files in the Startup folder, and create scheduled tasks under deceptive names.
In some cases, stolen credentials are used to establish proxies, enabling further malicious activity and communication with command-and-control servers.
Did you know?
Cybercriminals often use open-source tools not only for their effectiveness but also because they are widely available and frequently updated, making it easier for attackers to stay ahead of traditional security defenses.
Why Are These Attacks Especially Threatening to Financial Institutions
The primary objective of the CL-CRI-1014 threat actor is to act as an initial access broker, selling network footholds to other criminal groups on underground forums. By using open-source tools and impersonating legitimate software, attackers evade traditional security measures and maintain a low profile.
This approach poses a significant risk to the financial sector, potentially leading to data breaches, financial fraud, and reputational damage for affected institutions.
ALSO READ | North Korea-linked Supply Chain Attack Targets Developers with 35 Malicious npm Packages
What Are the Broader Implications for Cybersecurity in Africa and Beyond
The CL-CRI-1014 campaign is part of a broader trend of cyberattacks targeting financial and insurance organizations across Africa, including previous campaigns like DangerousSavanna. The emergence of new ransomware groups, such as Dire Wolf, further highlights the growing threat landscape, with technology, manufacturing, and financial services as top targets globally.
These developments point out the need for robust cybersecurity measures and international cooperation to combat increasingly sophisticated criminal networks.
The Road Ahead for Financial Sector Defense and Resilience
To mitigate these threats, financial institutions must adopt advanced threat detection and response strategies. This includes monitoring for unusual network activity, regularly updating and patching systems, and educating staff about the risks of social engineering and credential theft.
Collaboration with cybersecurity researchers and law enforcement is also critical to disrupt criminal networks and protect critical infrastructure.
Comments (0)
Please sign in to leave a comment
No comments yet. Be the first to share your thoughts!