The DangerousSavanna campaign is a prolonged cyber espionage and financial crime operation targeting financial institutions primarily in French-speaking African countries, including Cameroon, Ivory Coast, Morocco, Senegal, and Togo. This campaign has been active for at least two years as of the publication date in September 2022. The attackers employ spearphishing techniques, specifically spearphishing with malicious attachments (MITRE ATT&CK T1193 and T1566.001), to gain initial access into targeted organizations. Spearphishing attachments typically involve sending carefully crafted emails containing malicious documents or files that, when opened, execute malware or exploit vulnerabilities to compromise the victim's system. The threat actor behind this campaign, identified as DangerousSavanna, appears to focus on financial institutions, likely aiming to steal sensitive financial data, credentials, or to conduct fraudulent transactions. Although no known exploits are reported in the wild for this campaign, the persistent nature and targeted approach indicate a sophisticated adversary with a medium threat level. The campaign's geographic focus on French-speaking African countries suggests a regional targeting strategy, possibly motivated by financial gain or geopolitical interests. The lack of specific affected software versions or disclosed vulnerabilities implies that the attack vector relies heavily on social engineering and user interaction rather than exploiting software flaws. The campaign's medium severity rating reflects the moderate but significant risk posed by successful spearphishing attacks, which can lead to data breaches, financial loss, and reputational damage.

For European organizations, the direct impact of DangerousSavanna may be limited given the campaign's focus on French-speaking African financial institutions. However, European financial entities with business ties, subsidiaries, or partnerships in these African countries could face indirect risks. Compromise of African financial institutions could lead to fraudulent transactions affecting European banks, exposure of sensitive financial data, or disruption of cross-border financial operations. Additionally, European organizations with employees or clients in the targeted regions may be at risk of spearphishing attempts leveraging similar tactics. The campaign highlights the ongoing threat of targeted social engineering attacks that can bypass traditional technical defenses, emphasizing the need for vigilance in email security and user awareness. Moreover, given the interconnectedness of global financial systems, successful attacks in one region can have cascading effects, including regulatory scrutiny and financial instability impacting European markets.

To mitigate the risks posed by the DangerousSavanna campaign, European organizations, especially those with African ties, should implement targeted defenses beyond generic advice. First, enhance email security by deploying advanced anti-phishing solutions that analyze attachments for malicious content and use sandboxing to detect zero-day threats. Implement strict attachment handling policies, such as blocking or quarantining high-risk file types and enforcing digital signatures for trusted documents. Conduct regular, region-specific security awareness training focusing on spearphishing tactics, emphasizing the risks of opening unsolicited attachments even from seemingly legitimate sources. Employ multi-factor authentication (MFA) to reduce the impact of credential theft resulting from phishing. Network segmentation and monitoring for unusual outbound traffic can help detect lateral movement or data exfiltration attempts. Establish incident response plans that include scenarios involving spearphishing and financial fraud. For organizations with operations in the affected African countries, collaborate closely with local cybersecurity authorities and share threat intelligence to stay updated on evolving tactics. Finally, regularly review and update email filtering rules and threat detection signatures to adapt to emerging spearphishing campaigns.