Read time: 3 minutes

Sub-Saharan Africa faces new APT, cyber mercenary risks

By , ITWeb
Africa , 02 Oct 2020
Maher Yamout, Senior Security Researcher, Global Research & Analysis Team at Kaspersky.
Maher Yamout, Senior Security Researcher, Global Research & Analysis Team at Kaspersky.

Cyber mercenaries have become the latest risk amid the main threat actors targeting organisations around the world. This is according to Maher Yamout, senior security researcher, Global Research & Analysis Team at Kaspersky, who was speaking during a Kaspersky webinar presented in partnership with ITWeb this week.

Yamout said Kaspersky researchers have detected an increase in cyber mercenary activity this year. He explained that where cyber criminals usually want to steal data to immediately monetise it, cyber mercenaries typically take data on behalf of someone else, who then uses it to better understand the marketplace to gain a competitive advantage.

Outlining recent threat trends in sub-Saharan Africa, Yamout said there had been a decrease in certain types of attack, but an increase in others – indicating that cyber criminals were adapting to the changing conditions brought about by the COVID-19 pandemic. In South Africa, for example, the incidence of WannaCry decreased by 87%, but PornoBlocker increased by 72% and STOP increased by 94%. In Nigeria, PornoBlocker dropped 72.8%, GandCrypt dropped 28.3%, but STOP increased 84%. STOP propagates using cracked software adware bundles, and its spread may be the result of remote workers using cracked software, he said.

In recent months, the top targeted sectors in SA, Nigeria and Kenya have been government, diplomatic, education, healthcare and the military – often with APT groups targeting one sector and pivoting to use the compromised sector to target another entity. “So sometimes you are the victim, and sometimes you are the target,” Yamout said.

Among the threat actors targeting these industries in sub-Saharan Africa are TransparentTribe, Oilrig, MuddyWater and Unknown. Yamout said: “TransparentTribe is an interesting APT group, presumed to be Asian, which steals targets’ information and data possibly to be used for national security purposes.” He said this group’s tools, techniques and procedures include macro-based malicious documents, open source tools (Peppy RAT/CrimsonRAT), and they also have the capability to steal data from air gap networks using USBs.

Also a threat in these sectors are Oilrig, which steals sensitive information by exploiting server-based backdoor with stolen credentials and malicious documents with macros droppers; MuddyWater, which uses custom and in-house built toolsets, native Microsoft tools for stealth, and open source tools such as ‘secure socket funnelling’; and Unknown, which uses a shortcut-based dropper using a COVID-19 theme, delivery method over Telegram Messenger and delivery through compromising legitimate Web sites.

Artem Karasev, senior product marketing manager at Kaspersky, noted that endpoints are the most common entry points into an organisation’s infrastructure, with 68% of organisations having fallen victim to endpoint attacks.

“We have observed an overall decrease in the number of attacks, but they are becoming more sophisticated and devastating. At the same time, we see a growing gap in IT security expertise in the market,” he said. Kaspersky said as a result, organisations needed a comprehensive and adaptive cyber security strategy.

In the year ahead, Kaspersky expects to see an increase in cyber mercenaries and APT attacks. “We may see more use of cyber mercenaries to make attribution harder; as well as cyber criminals increasing targeted ransomware deployment through channels such as cracked software, or by exploiting the supply chain, IT or managed services,” Yamout said. “Data breaches could become more common because everyone is rushing to expose their databases and servers to the Internet. In addition, remote services will remain a major weakness because everyone is exposing their services to the Internet and not everyone is able to cope with security and availability at the same time; while threat actors keep evolving with complex toolsets.”

Daily newsletter