Search This Blog
Powered by Blogger.

Blog Archive

Labels

Load More
Trendy Right Now

Popular Posts

Showing posts with label Africa. Show all posts
Law Enforcement
Africa Cyber Crime Cyber Operation Interpol Law Enforcement

Over 1,000 People Arrested by Interpol in Africa as it Cracks Down on Cybercrime

 

During a two-month operation to combat cybercrime that left tens of thousands of victims, including some who were trafficked, and caused millions of dollars in financial losses, Interpol detained 1,006 suspects across Africa, the international police agency said Tuesday. 

The agency said in a statement that Operation Serengeti, a combined operation with Afripol, the African Union's police agency, targeted criminals responsible for ransomware, business email breach, digital extortion, and online frauds, took place in 19 African countries between September 2 and October 31.

“From multi-level marketing scams to credit card fraud on an industrial scale, the increasing volume and sophistication of cybercrime attacks is of serious concern," stated Valdecy Urquiza, the Secretary General of Interpol. 

Local law enforcement and business sector partners, including internet service providers, were instrumental in the investigation, according to Interpol, which identified 35,000 victims and related cases to international financial losses of nearly $193 million. 

In a case involving online credit card theft that resulted in losses of $8.6 million, Kenyan police made around two dozen arrests. Eight individuals, including five Chinese nationals, were arrested by police in Senegal, a country in West Africa, for involvement in a $6 million online Ponzi scheme.

Chelba stated that Afripol's attention is now on new threats such as AI-driven malware and advanced cyberattack strategies. Other demolished networks included a Cameroonian organisation suspected of using a multi-level marketing fraud for human trafficking, an Angolan international criminal cell operating an illegal virtual casino, and a Nigerian cryptocurrency investment scam, according to the agency. 

Interpol, which has 196 member nations and celebrated its centenary last year, helps national police forces communicate with one another and seek down suspects and offenders in domains such as counterterrorism, financial crime, child pornography, cybercrime, and organised crime. 

The world's largest, if not best-funded, police organisation has faced novel challenges, including an increase in cybercrime and child sex abuse cases, as well as rising tensions among member countries. Interpol had a total budget of about 176 million euros (about $188 million) last year, compared to more than 200 million euros at Europol, the European Union's police agency, and approximately $11 billion at the FBI in the United States.
Read more »
Trend Micro
Africa APT41 Cyber Security Cybersecurity Earth Baku Europe malware Middle East sophisticated attacks Threat actor Trend Micro

China-Backed Earth Baku Broadens Cyber Assaults to Europe, Middle East, and Africa

 

The China-backed threat actor Earth Baku has diversified its targeting footprint beyond the Indo-Pacific region to include Europe, the Middle East, and Africa starting in late 2022. Newly targeted countries include Italy, Germany, the U.A.E., and Qatar, with suspected attacks also detected in Georgia and Romania. Governments, media and communications, telecoms, technology, healthcare, and education sectors are among those singled out as part of the intrusion set.

Trend Micro researchers Ted Lee and Theo Chen, in an analysis published last week, noted that Earth Baku has updated its tools, tactics, and procedures (TTPs) in more recent campaigns. The group utilizes public-facing applications such as IIS servers as entry points for attacks, subsequently deploying sophisticated malware toolsets on the victim's environment. The findings build upon recent reports from Zscaler and Google-owned Mandiant, which also detailed the threat actor's use of malware families like DodgeBox (aka DUSTPAN) and MoonWalk (aka DUSTTRAP). Trend Micro has assigned them the monikers StealthReacher and SneakCross.

Earth Baku, a threat actor associated with APT41, has been known for its use of StealthVector as far back as October 2020. Their attack chains involve the exploitation of public-facing applications to drop the Godzilla web shell, which is then used to deliver follow-on payloads. StealthReacher has been classified as an enhanced version of the StealthVector backdoor loader, responsible for launching SneakCross, a modular implant and a likely successor to ScrambleCross that leverages Google services for its command-and-control (C2) communication.

The attacks are further characterized by the use of other post-exploitation tools such as iox, Rakshasa, and a Virtual Private Network (VPN) service known as Tailscale. Sensitive data exfiltration to the MEGA cloud storage service is accomplished by means of a command-line utility dubbed MEGAcmd. "The group has employed new loaders such as StealthVector and StealthReacher to stealthily launch backdoor components, and added SneakCross as their latest modular backdoor," the researchers stated.

"The persistence of Earth Baku is notable," said the researchers. "Their tactics show a sophisticated understanding of public-facing applications, allowing them to infiltrate various sectors with precision." They further explained that the group's post-exploitation tools are customized to fit specific operational needs, with iox and Rakshasa playing significant roles in maintaining prolonged access and stealth. Tailscale, the VPN service, ensures the attackers can manage their operations without detection, while MEGAcmd allows for efficient data exfiltration.

The continued evolution of Earth Baku's methods, including the introduction of new malware like SneakCross, highlights the growing complexity and threat posed by this actor. The group’s ability to adapt and refine their TTPs makes them a formidable adversary in the cyber landscape.
Read more »
Sharp Dragon
Africa Chinese Threat Actors Cyber Security cyber threat phishing Sharp Dragon

Sharp Dragon Shifts Cyber Attacks to New Frontiers: Africa and the Caribbean


Check Point Research has been monitoring Sharp Dragon, a Chinese cyber threat group, since 2021. This group, previously known as Sharp Panda, has primarily targeted organisations in Southeast Asia with phishing campaigns. Recently, however, they have expanded their activities to include government organisations in Africa and the Caribbean, marking a significant change in their strategy.

Starting in late 2023, Sharp Dragon shifted its focus to government entities in Africa and the Caribbean. They used previously compromised email accounts from Southeast Asia to send phishing emails. These emails contained documents that appeared legitimate but were actually designed to deliver Cobalt Strike Beacon malware, replacing their earlier use of VictoryDLL and the Soul framework.

The first attack targeting Africa occurred in November 2023, involving a phishing email about industrial relations between Southeast Asia and Africa. By January 2024, further attacks within Africa suggested that some initial attempts had been successful. Similarly, in December 2023, Sharp Dragon targeted a Caribbean government with a document related to a Commonwealth meeting. This was followed by a broader phishing campaign in January 2024, using a fake survey about opioid threats in the Eastern Caribbean.

Sharp Dragon has been refining its tactics. Their new approach includes more thorough checks on target systems before deploying malware. They now use Cobalt Strike Beacon, which allows them to control infected systems without exposing their custom tools immediately. This change helps them avoid detection and gather more information on their targets.

They have also shifted from using DLL-based loaders to executable files disguised as documents. These files write and execute malicious software and create scheduled tasks for persistence on the infected system.

Another major change is Sharp Dragon's use of compromised servers for their command and control operations. Instead of using dedicated servers, they exploit legitimate servers, making their activities harder to detect. For example, in May 2023, they used a vulnerability in the GoAnywhere platform to take over legitimate servers.

Sharp Dragon's new focus on Africa and the Caribbean shows a broader effort by Chinese cyber groups to increase their influence in these regions. After years of targeting Southeast Asia, Sharp Dragon is using its established tactics to gain foothold in new territories. Their refined methods and careful target selection highlight the need for enhanced cybersecurity measures in these regions, which have yet to be as heavily scrutinized by the global cybersecurity community.


Read more »
Togo
Africa Cyber Security NSO Spyware Threat Landscape Togo

Pegasus Spyware Targets Two Journalists in Togo: RSF

 

Reporters Without Borders (RSF) disclosed that two journalists in Togo had spyware on their phones that looked similar to the potent Pegasus surveillance tool used by the NSO group. RSF reports that the journalists are accused of defaming a government minister and are currently on trial for it. Since 1963 the nation of West Africa has been ruled by the same repressive royal family. 

RSF was unclear about the detected spyware, stating only that the "traces are typical of Pegasus." According to RSF, the Togo government employed Pegasus until at least 2021, and one of the two targeted journalists was exposed to a "major cyber-espionage operation throughout the first half of 2021.” 

RSF reported that Loïc Lawson, publisher of Flambeau des Démocrates, had 23 spyware attacks on his phone from February to July 2021. A second journalist, freelancer Anani Sossou, was targeted many months later, in October 2021. 

RSF stated that its forensic service for journalists, Digital Security Lab, conducted months of investigation, and Amnesty International's Security Lab corroborated its findings in an independent analysis. 

The organisation began probing the alleged phone tampering in December, roughly three weeks after the journalists were detained. Their arrest followed a complaint from Togo's minister of urban planning, housing, and land reform, who objected to their reporting disclosing the theft of approximately 600,000 Euros (nearly $650,000) in cash from his home.

According to RSF, the journalists were accused of undermining the minister's image and "inciting revolt" at a trial that began last month. While investigating the arrests, RSF stated in a press statement that it "discovered that [the journalists] had in fact been in the crosshairs of the Togolese authorities for a long time." 

The findings mark the first verified incident of spyware being used against journalists in Togo. Pegasus spyware has frequently targeted journalists, human rights campaigners, and opposition party leaders around the world in recent years. Researchers say the attack took place in February, shortly after the Russian government banned Timchenko's journal, Meduza, for being critical of Russia's invasion of Ukraine.
Read more »
Ministry of foreign affairs
Africa attacks Cyber Crime Cyberespionage Middle East Ministry of foreign affairs

New Cyber Espionage Group Targeting Ministries of Foreign Affairs

 

Researchers unveiled a new cyber espionage group on Thursday, which is behind the series of targeted operations attacking diplomatic entities and telecommunication corporations in Africa and the Middle East since at least 2017. 

The campaign, dubbed "BackdoorDiplomacy," involves exploiting flaws in internet-exposed devices like web servers to carry out various cyber-hacking operations, including moving laterally across the network to execute a custom implant called Turian which is capable of exfiltrating sensitive data stored on removable media. 

Jean-Ian Boutin, head of threat research at Slovak cybersecurity firm ESET said, "BackdoorDiplomacy shares tactics, techniques, and procedures with other Asia-based groups. Turian likely represents a next stage evolution of Quarian, the backdoor last observed in use in 2013 against diplomatic targets in Syria and the U.S." 

The cross-platform group, which targets both Windows and Linux operating systems, singles out management interfaces for networking equipment and servers with internet-exposed ports, most likely abusing unsecured flaws to implement the China Chopper web shell for initial access, which is then used to conduct reconnaissance and install the backdoor. 

F5 BIG-IP devices (CVE-2020-5902), Microsoft Exchange servers, and Plesk web hosting control panels are among the systems affected. Victims have been identified in many African countries' foreign ministries and those in Europe, the Middle East, and Asia. Furthermore, in Africa and at least one Middle Eastern country, telecom carriers have also been hit. 

The researchers stated, "In each case, operators employed similar tactics, techniques, and procedures (TTPs), but modified the tools used, even within close geographic regions, likely to make tracking the group more difficult."

BackdoorDiplomacy is also believed to overlap with previously reported campaigns operated by a Chinese-speaking group Kaspersky tracks as "CloudComputating.

According to ESET researchers, apart from its features to gather system information, take screenshots, and carry out file operations, Turian's network encryption protocol is nearly identical to that used by WhiteBird, a C++ backdoor operated by an Asia-based threat actor named Calypso that was installed within diplomatic organizations in Kazakhstan and Kyrgyzstan at the same timeframe as BackdoorDiplomacy.
Read more »
Subscribe to: Posts (Atom)