Application security provider Checkmarx has identified what it described as the first open source software supply chain attacks targeting the banking sector.
In a recent report, Checkmarx researchers analyzed two distinct, sophisticated supply chain attacks relying on open source toolsets. Both attacks’ targets were banks.
The first attack started in February 2023, when a threat actor uploaded a package to NPM, the world’s largest software registry.
This package contained a payload designed to latch onto a specific login form element on the targeted bank’s web page, stealthily intercepting login data and then transmitting it to a remote location.
The premise of the second attack, observed from early April 2023, is similar, with a threat actor uploading packages to NPM.
These packages contained a preinstall script that executed its malicious objective upon installation.
First, the script identified the victim’s operating system (Windows, Linux, or Darwin/MacOS). Then, based on the result, the script decoded the relevant encrypted files in the NPM package.
Next, the attacker used these files to download a malicious binary onto the victim’s system.
Read more: Opinion: The Open-Source Software in Our Pockets Needs Our Help
To avoid detection and bypasses traditional deny list methods, the attacker created a subdomain that incorporated the name of the targeted bank on Microsoft Azure CDN.
They also leveraged the Havoc Framework, an advanced post-exploitation command and control framework crafted by the self-proclaimed “malware writer” going by the Twitter handle @C5pider.
“Havoc’s ability to evade standard defenses, like Windows Defender, makes it a go-to option for threat actors, replacing legitimate toolkits such as Cobalt Strike, Sliver, and Brute Ratel,” reads the report.
Checkmarx also noted that the contributor behind these packages was linked to a LinkedIn profile page of an individual posing as an employee of the targeted bank.
The security researchers commented: “Our initial assumption was that this may be a penetration testing exercise by the bank. However, the response we received upon contacting the institution for clarification painted a different picture — the bank wasn’t aware of this activity.”
While the malicious open source packages have been reported by Checkmarx and removed, the firm predicts “a persistent trend of attacks against the banking sector’s software supply chain to continue.”
The researchers argued that the sole vulnerability scanning at the build level is “no longer adequate in the face of today’s advanced cyber threats. Once a malicious open-source package enters the pipeline, it’s essentially an instantaneous breach — rendering any subsequent countermeasures ineffective. […] This escalating gap underscores the urgency to shift our strategy from merely managing malicious packages to proactively preventing their infiltration into our Software Development Lifecycle (SDLC) in the first place.”
On July 12, 2023, SOCRadar found that the financial industry was facing a soaring ransomware threat and ranked as the seventh most targeted sector by ransomware actors in the first half of 2023.