Cybersecurity researchers recently made a significant discovery, identifying what appears to be the first open-source software supply chain attacks specifically aimed at the banking sector. The attackers utilized advanced techniques, including focusing on specific components within the web assets of victim banks by attaching malicious functionalities to them. The published report highlighted the nature of these attacks.
The attackers employed deceptive tactics, including creating a fake LinkedIn profile to appear credible and customizing command-and-control (C2) centers for each target. By exploiting legitimate services, they managed to carry out their illicit activities effectively. The malicious npm packages used in these attacks were later reported and taken down, although their names were not disclosed. In the initial attack, the malware author posed as an employee of the target bank and uploaded packages to the npm registry in early April 2023. These packages contained a preinstall script that triggered the infection sequence. To deliver the second-stage payload, the attackers cleverly utilized Azure’s CDN subdomains, incorporating the name of the targeted bank to bypass traditional deny list methods.
The second-stage payload, identified as Havoc, is an open-source command-and-control (C2) framework, which the attackers used to evade detection typically associated with the use of other tools like Cobalt Strike, Sliver, and Brute Ratel.
In another unrelated attack detected in February 2023, targeting a different bank, the adversary uploaded a package to npm designed to blend into the bank’s website and intercept login data covertly. This data was then exfiltrated to an actor-controlled infrastructure.
The importance of supply chain security was highlighted, as once a malicious open-source package enters the software development pipeline, it can lead to an instantaneous breach, rendering subsequent countermeasures ineffective.
“Supply chain security revolves around protecting the entire process of software creation and distribution, from the beginning stages of development to the delivery to the end user.”, they added
Notably, the Russian-speaking cybercrime group RedCurl was involved in breaching a major Russian bank and an Australian company in November 2022 and May 2023, respectively. They carried out multiple attacks on companies from various countries, stealing corporate secrets and employee information through a sophisticated phishing campaign.
Financial institutions have also faced attacks using a web-inject toolkit called drIBAN, which alters legitimate banking transfers performed by users, diverting money to illegitimate accounts controlled by the attackers.
“This escalating gap underscores the urgency to shift our strategy from merely managing malicious packages to proactively preventing their infiltration into our Software Development Lifecycle (SDLC) in the first place.”
These incidents emphasize the critical need for enhanced cybersecurity measures, collaboration between developers, researchers, and organizations, and constant vigilance to protect against emerging threats in the ever-evolving cyber landscape.