Executive Summary

The Middle East and Africa (MENA) regions are experiencing a significant escalation in cyberattacks targeting government entities, financial institutions, and small retailers. Threat actors, including both advanced persistent threat (APT) groups and hacktivist collectives, are leveraging sophisticated malware, ransomware-as-a-service (RaaS) platforms, and distributed denial-of-service (DDoS) campaigns. These attacks exploit both zero-day and well-known vulnerabilities in widely deployed products such as Microsoft Windows, WordPress, Palo Alto Networks PAN-OS, Ivanti Connect Secure, ConnectWise ScreenConnect, Fortra GoAnywhere MFT, Atlassian Confluence, and Microsoft Exchange Server. The operational impact includes data breaches, service outages, financial theft, and reputational damage. This advisory provides a technical breakdown of the latest tactics, techniques, and procedures (TTPs), the malware and tools in use, and actionable mitigation strategies to help organizations in the region defend against these evolving threats.

Threat Actor Profile

The current threat landscape in the MENA region is shaped by a diverse set of actors. GhostSec and Stormous are prominent RaaS operators responsible for the deployment of GhostLocker 2.0 ransomware, which has been observed in high-profile attacks across South Africa, Egypt, Israel, and Lebanon. Anonymous Sudan is a hacktivist collective specializing in DDoS attacks, primarily targeting financial and government portals in Kenya, Nigeria, South Africa, and Uganda. Hunters International is a ransomware group that has targeted telecom and government sectors, notably in Namibia. Financially motivated groups such as Waste have orchestrated direct theft from central banks, as seen in the Bank of Uganda breach. Additionally, APT groups like APT-C-23 (Arid Viper) have leveraged spear-phishing and Exchange server exploits to compromise government and critical infrastructure targets. These actors are characterized by their rapid exploitation of public-facing vulnerabilities, use of commodity and custom malware, and a growing reliance on botnets and DDoS-for-hire services.

Technical Analysis of Malware/TTPs

GhostLocker 2.0 is a Golang-based ransomware variant deployed by GhostSec and Stormous. It targets Microsoft Windows endpoints, establishing persistence via the Startup folder and encrypting files with the .ghost extension. The malware exfiltrates sensitive data, including Microsoft Office documents, before encryption. Initial access is typically achieved through spear-phishing, exploitation of public-facing applications, and brute-forcing of Remote Desktop Protocol (RDP) credentials. The ransomware communicates with command-and-control (C2) infrastructure, notably the IP address 94.103.91.246, and drops a ransom note named Ransomnote.html.

GhostPresser, a tool attributed to GhostSec, exploits admin bypass and cross-site scripting (XSS) vulnerabilities in WordPress installations, enabling lateral movement and privilege escalation within compromised environments.

Anonymous Sudan orchestrates DDoS attacks using botnets and DDoS-for-hire platforms, coordinating operations via Telegram channels. Their campaigns have resulted in significant service disruptions for banks and telecom providers.

Hunters International ransomware employs data exfiltration and encryption techniques, targeting both government and private sector organizations. The group leverages vulnerabilities in VPN and firewall appliances, such as CVE-2024-3400 in Palo Alto Networks PAN-OS and CVE-2024-21887/21893 in Ivanti Connect Secure.

Other notable vulnerabilities exploited in the wild include CVE-2024-1709 in ConnectWise ScreenConnect, CVE-2023-0669 in Fortra GoAnywhere MFT, CVE-2023-22515 in Atlassian Confluence, and CVE-2021-26855 (ProxyLogon) in Microsoft Exchange Server. These vulnerabilities facilitate initial access, lateral movement, and data exfiltration.

The MITRE ATT&CK framework techniques observed include T1059 (Command and Scripting Interpreter), T1566.001 (Spearphishing Attachment), T1486 (Data Encrypted for Impact), T1041 (Exfiltration Over C2 Channel), T1078 (Valid Accounts), T1190 (Exploit Public-Facing Application), T1499 (Endpoint Denial of Service), and T1583.005 (Botnets).

Exploitation in the Wild

Recent incidents demonstrate the operational impact of these campaigns. The Eneo attack in Cameroon disrupted national energy services, while GhostLocker 2.0 caused data encryption and ransom demands in South Africa and Egypt. Anonymous Sudan's DDoS campaigns have led to widespread outages in banking and government services across Kenya, Nigeria, and South Africa. The Bank of Uganda breach resulted in the theft of $16.8 million, and the Flutterwave incident in Nigeria saw unauthorized fund transfers totaling approximately $7 million. Telecom Namibia suffered a ransomware attack by Hunters International, leading to the leak of sensitive customer and government data. The Kenya MSEA and South Africa NHLS breaches further underscore the vulnerability of public sector organizations. These attacks often exploit unpatched systems, weak authentication, and misconfigured public-facing applications.

Victimology and Targeting

The primary targets of these campaigns are government agencies, central and commercial banks, small and medium-sized retailers, energy providers, and digital financial platforms. Attackers are opportunistic, focusing on organizations with exposed or outdated infrastructure, limited security resources, and high-value data. The financial sector is particularly at risk due to the prevalence of mobile money and digital banking platforms in Africa, which present a rapidly expanding attack surface. Small retailers are increasingly targeted via supply chain attacks and compromised point-of-sale systems. The use of ransomware and DDoS attacks is designed to maximize operational disruption and extort payments, while data exfiltration campaigns seek to monetize stolen information on dark web marketplaces.

Mitigation and Countermeasures

Organizations are strongly advised to implement a multi-layered defense strategy. Immediate actions should include patching all affected products to the latest versions, with particular attention to Microsoft Windows, WordPress, Palo Alto Networks PAN-OS, Ivanti Connect Secure, ConnectWise ScreenConnect, Fortra GoAnywhere MFT, Atlassian Confluence, and Microsoft Exchange Server. Security teams should monitor for indicators of compromise such as the .ghost file extension, the presence of Ransomnote.html, and connections to the C2 IP 94.103.91.246. WordPress installations should be audited for unauthorized admin users and unexpected plugin or theme changes. VPN and firewall logs must be reviewed for exploitation attempts related to CVE-2024-3400 and CVE-2024-21887/21893. Enhanced monitoring for exfiltration of Microsoft Office documents and suspicious RDP activity is essential. Network defenses should leverage Snort SIDs 62983-62989 and 300818-300820, as well as the ClamAV signature Win.Ransomware.GhostSec-10020906-0. User awareness training on phishing and social engineering, robust DDoS protection for critical portals, and strengthened controls for mobile banking platforms are also critical. Proactive threat intelligence and continuous monitoring are vital to detect and respond to emerging threats.

References

Cisco Talos GhostLocker 2.0 Analysis: https://blog.talosintelligence.com/ghostsec-ghostlocker2-ransomware/

BusinessDay: Top 10 Cyberattacks in Africa 2024: https://businessday.ng/news/article/top-10-cyberattacks-that-targeted-african-organisations-in-2024/

SOCRadar: Top 10 Exploited Vulnerabilities 2024: https://socradar.io/top-10-exploited-vulnerabilities-of-2024/

NVD: CVE-2024-3400: https://nvd.nist.gov/vuln/detail/CVE-2024-3400

NVD: CVE-2024-21887: https://nvd.nist.gov/vuln/detail/CVE-2024-21887

NVD: CVE-2024-1709: https://nvd.nist.gov/vuln/detail/CVE-2024-1709

NVD: CVE-2023-0669: https://nvd.nist.gov/vuln/detail/CVE-2023-0669

NVD: CVE-2023-22515: https://nvd.nist.gov/vuln/detail/CVE-2023-22515

NVD: CVE-2021-26855: https://nvd.nist.gov/vuln/detail/CVE-2021-26855

Business Insider Africa: Major 2024 Attacks: https://africa.businessinsider.com/local/lifestyle/10-major-cyberattacks-that-targeted-african-organizations-in-2024/qsqgmlq

About Rescana

Rescana empowers organizations to proactively manage third-party cyber risk with a comprehensive TPRM platform that delivers actionable intelligence, continuous monitoring, and automated risk assessment. Our solutions enable security teams to identify, prioritize, and mitigate threats across complex supply chains and digital ecosystems. For more information or to discuss how Rescana can help strengthen your cyber resilience, we are happy to answer questions at ops@rescana.com.