Reddit NetSec

CVE Database V5

AlienVault OTX General

Reddit InfoSec News

Exploit-DB RSS Feed

ThreatFox MISP Feed

CIRCL OSINT Feed

AlienVault OTX Vulnerabilities

AlienVault OTX Malware

A series of attacks targeting financial organizations across Africa has been observed since July 2023. The threat actor, tracked as CL-CRI-1014, uses open-source and publicly available tools like PoshC2, Chisel, and Classroom Spy to establish attack frameworks, create tunnels for network communication, and perform remote administration. They forge file signatures to disguise their toolset and mask malicious activities. The attackers are suspected to be acting as initial access brokers, creating footholds in financial institutions to sell access on darknet markets. Their playbook includes lateral movement techniques such as creating remote services, executing through DCOM, and using PsExec. The threat actor also employs evasion methods like using packers and signing tools with stolen signatures.

Since July 2023, a cybercriminal group identified as CL-CRI-1014 has been conducting targeted attacks against financial institutions across Africa. This threat actor leverages open-source and publicly available tools such as PoshC2, Chisel, and Classroom Spy to build flexible attack frameworks. PoshC2 is a well-known post-exploitation framework used for command and control (C2), Chisel is used to create encrypted tunnels for network communication, and Classroom Spy is a remote administration tool. By combining these tools, the attackers establish persistent footholds within victim networks, enabling remote control and data exfiltration. To evade detection, the attackers forge file signatures, making their malicious tools appear legitimate, and use packers and stolen digital signatures to mask their malware binaries. Their operational playbook includes lateral movement techniques such as creating remote services, executing commands via Distributed Component Object Model (DCOM), and leveraging PsExec for remote code execution. These techniques allow the threat actor to move laterally within compromised networks, escalating privileges and expanding access. The group is suspected to act as initial access brokers, compromising financial organizations and then selling access on darknet markets to other malicious actors. The attack chain involves sophisticated evasion and persistence mechanisms, including the use of scheduled tasks (T1053.005), masquerading (T1036.005), and code injection (T1055). Although no known exploits are currently reported in the wild for specific vulnerabilities, the use of legitimate tools and stolen signatures complicates detection and mitigation efforts. The threat is categorized as medium severity, reflecting the moderate but significant risk posed by these targeted intrusions.

Detailed information about Cybercriminals Abuse Open-Source Tools To Target Africa's Financial Sector. Get real-time updates, technical details, and mitigation 

Cybercriminals Abuse Open-Source Tools To Target Africa's Financial Sector - Live Threat Intelligence - Threat Radar | OffSeq.com

Cybercriminals Abuse Open-Source Tools To Target Africa's Financial Sector

Cybercriminals Abuse Open-Source Tools To Target Africa’s Financial Sector

Source: https://unit42.paloaltonetworks.com/cybercriminals-attack-financial-sector-across-africa/

This threat campaign involves cybercriminals leveraging open-source tools to conduct attacks targeting the financial sector across Africa. The campaign was reported by Unit 42, a reputable cybersecurity research group, and shared on the InfoSecNews subreddit. Although specific affected software versions or vulnerabilities are not detailed, the mention of 'rce' (remote code execution) in the newsworthiness assessment indicates that attackers may be exploiting remote code execution vulnerabilities or techniques to compromise systems. The use of open-source tools suggests that attackers are utilizing publicly available software frameworks or utilities, potentially to automate attacks, evade detection, or exploit known weaknesses in financial institutions' infrastructure. The campaign is recent (published June 2025) and has a medium severity rating, indicating a moderate level of threat. No known exploits in the wild have been reported yet, and discussion levels on Reddit are minimal, suggesting that the campaign is either emerging or not widely publicized. The lack of specific technical details such as exploited CVEs or attack vectors limits the granularity of the analysis, but the focus on Africa's financial sector implies targeted attacks on banking systems, payment platforms, or financial service providers, likely aiming at financial gain through fraud, data theft, or disruption.

Detailed information about Cybercriminals Abuse Open-Source Tools To Target Africa’s Financial Sector. Get real-time updates, technical details, and mitigation 

Cybercriminals Abuse Open-Source Tools To Target Africa’s Financial Sector - Live Threat Intelligence - Threat Radar | OffSeq.com

Cybercriminals Abuse Open-Source Tools To Target Africa’s Financial Sector

Reddit Discussion: Cybercriminals Abuse Open-Source Tools To Target Africa’s Financial Sector

Open Source SACCO Management System v1.0 vulnerable to SQL Injection via /sacco_shield/manage_loan.php.

CVE-2022-42218 is a high-severity SQL Injection vulnerability identified in the Open Source SACCO Management System version 1.0, specifically exploitable via the /sacco_shield/manage_loan.php endpoint. SQL Injection (CWE-89) vulnerabilities occur when untrusted input is improperly sanitized and directly incorporated into SQL queries, allowing an attacker to manipulate the database queries executed by the application. In this case, the vulnerability allows an attacker with high privileges (PR:H) and network access (AV:N) to execute arbitrary SQL commands without requiring user interaction (UI:N). The vulnerability impacts confidentiality, integrity, and availability (C:H/I:H/A:H) of the system, enabling potential data exfiltration, unauthorized data modification, or denial of service. The CVSS 3.1 base score of 7.2 reflects a high severity due to ease of exploitation over the network with low attack complexity (AC:L) and no user interaction required. Although no known exploits are currently reported in the wild, the absence of patches or vendor-provided fixes increases the risk for organizations using this software. The SACCO Management System is typically used by Savings and Credit Cooperative Organizations to manage loans and financial transactions, making the data highly sensitive and critical for operational continuity.

Detailed information about CVE-2022-42218: n/a in n/a affecting n/a n/a. Get real-time updates, technical details, and mitigation strategies.

CVE-2022-42218: n/a in n/a - Live Threat Intelligence - Threat Radar | OffSeq.com

CVE-2022-42218: n/a in n/a

Open Source SACCO Management System v1.0 is vulnerable to SQL Injection via /sacco_shield/manage_payment.php.

CVE-2022-42143 is a high-severity SQL Injection vulnerability identified in the Open Source SACCO Management System version 1.0, specifically exploitable via the /sacco_shield/manage_payment.php endpoint. SQL Injection (CWE-89) vulnerabilities occur when untrusted input is improperly sanitized and directly included in SQL queries, allowing attackers to manipulate the database queries executed by the application. In this case, the vulnerability enables an attacker with high privileges (PR:H) to remotely execute arbitrary SQL commands over the network (AV:N) without requiring user interaction (UI:N). The vulnerability affects confidentiality, integrity, and availability (C:H/I:H/A:H) of the system, meaning an attacker could potentially extract sensitive data, modify or delete records, or disrupt service availability. The CVSS 3.1 base score of 7.2 reflects a high severity due to the ease of exploitation (low attack complexity) and the broad impact on the system. Although the exact affected versions and vendor details are not specified, the vulnerability is tied to an open-source SACCO (Savings and Credit Cooperative Organization) management system, which is typically used by financial cooperatives to manage member accounts and payments. No patches or known exploits in the wild have been reported yet, but the presence of this vulnerability poses a significant risk to organizations relying on this software for financial transaction management.

Detailed information about CVE-2022-42143: n/a in n/a affecting n/a n/a. Get real-time updates, technical details, and mitigation strategies.

CVE-2022-42143: n/a in n/a - Live Threat Intelligence - Threat Radar | OffSeq.com

CVE-2022-42143: n/a in n/a

Open Source SACCO Management System v1.0 was discovered to contain a SQL injection vulnerability via the id parameter at /sacco_shield/ajax.php?action=delete_borrower.

CVE-2022-41530 is a high-severity SQL injection vulnerability identified in the Open Source SACCO Management System version 1.0. The vulnerability exists in the 'id' parameter of the endpoint /sacco_shield/ajax.php?action=delete_borrower. SQL injection (CWE-89) occurs when untrusted input is improperly sanitized and directly incorporated into SQL queries, allowing an attacker to manipulate the database query executed by the application. In this case, the 'id' parameter is vulnerable, enabling an attacker with high privileges (PR:H) to execute arbitrary SQL commands remotely (AV:N) without requiring user interaction (UI:N). The vulnerability affects confidentiality, integrity, and availability (C:H/I:H/A:H) of the system, as an attacker could extract sensitive data, modify or delete records, or disrupt service. The CVSS 3.1 base score of 7.2 reflects the ease of exploitation due to low attack complexity (AC:L) and the significant impact on the system. Although no known exploits are currently reported in the wild, the vulnerability poses a serious risk to organizations using this SACCO Management System, which is typically used by Savings and Credit Cooperative Organizations to manage member loans and financial transactions. The lack of vendor or product-specific information limits detailed attribution, but the vulnerability's presence in an open-source financial management tool suggests potential exposure in environments relying on this software for critical financial operations.

Detailed information about CVE-2022-41530: n/a in n/a affecting n/a n/a. Get real-time updates, technical details, and mitigation strategies.

CVE-2022-41530: n/a in n/a - Live Threat Intelligence - Threat Radar | OffSeq.com

CVE-2022-41530: n/a in n/a

Open Source SACCO Management System v1.0 was discovered to contain a SQL injection vulnerability via the id parameter at /sacco_shield/ajax.php?action=delete_plan.

CVE-2022-41532 is a high-severity SQL injection vulnerability identified in the Open Source SACCO Management System version 1.0. The vulnerability exists in the 'id' parameter of the endpoint /sacco_shield/ajax.php?action=delete_plan. This parameter is susceptible to SQL injection attacks, allowing an attacker with high privileges (PR:H) to execute arbitrary SQL commands on the backend database without requiring user interaction (UI:N). The vulnerability has a CVSS 3.1 base score of 7.2, indicating a high impact on confidentiality, integrity, and availability. Exploiting this flaw could allow an attacker to manipulate or delete sensitive data, escalate privileges, or disrupt the availability of the SACCO Management System. The vulnerability is remotely exploitable over the network (AV:N) with low attack complexity (AC:L), but requires authenticated access, which limits exploitation to users with some level of system access. The vulnerability is categorized under CWE-89, which corresponds to SQL injection, a common and critical web application security issue. No patches or fixes have been linked or published yet, and there are no known exploits in the wild at this time. The SACCO Management System is typically used by Savings and Credit Cooperative Organizations (SACCOs) to manage member accounts, loans, and financial transactions, making the confidentiality and integrity of data critical for operational and regulatory compliance.

Detailed information about CVE-2022-41532: n/a in n/a affecting n/a n/a. Get real-time updates, technical details, and mitigation strategies.

Title	Severity	Type	Source	Date

Threats Affecting South Africa

Filter Threats

Threats Affecting South Africa

Keyboard Shortcuts

Navigation

Search & Filters

UI Controls

Accessibility