Kathy Gibson reports – Cyberthreats hit South Africa with a bang in January, and have been tailing off for the balance of the first quarter.
Carlo Bolzonello, threat intelligence specialist and country lead South Africa at Trellix, points out that government is the most targeted vertical in the quarter, followed by education and then finance.
Most of the active threat actors are familiar names, but there are some new threats emerging, Bolzonello says.
The ransomware conversation is always top of mind for organisations, he adds, and the new Fin7 threat actor has begun targeting victims in the government space.
Common Raven group has also been active in the finance vertical, hitting institutions in South Africa, South America, the US, Europe, the Gulf and parts of Asia.
“In the African context they have focused for the last year on the French side of the continent, and have managed to breach a couple of banks,” Bolzonello says.
While actual losses to these banks is thought to have been about $11-million, the cost of bringing systems back accounted for much more, he adds.
“Common Raven has now shifted gears and is more active in the South African market now.”
Initial access is probably through spear-phishing mails, usually job-related with an attachment that launches the malware.
“What is interesting is that this group is good at staying quiet within the customer’s network, and using their own tools against them,” Bolzonello explains. “This makes it difficult to identify these threat actors in the environment.”
Common Raven is also able to exfiltrate data in a way that evades security measures like firewalls.
“It has a record of success globally, and it is visiting our shores at the moment.”
UNC4191 is a new threat actor targeting government.
This Chinese-linked group enters systems like universities and government departments by weaponising USB devices. “You would think USBs are not so prevalent, but they have been able to breach many systems including air-gapped networks,” Bolzonello says.
“They have also looked to infect mobile phones and USB cables. So this group is smart in what it is doing.”
The group aims to collect information rather than cause damage. “To the best of our knowledge it is to ensure that commercial and economic interests of China are being looked after,” Bolzonello says.
Trellix
Trellix Advanced Threat Research team and Cyber Threat Management Engineers give an update on the Cyber Threat Landscape for the South African Market.