Application security provider Checkmarx has detailed its findings on the first known open-source software (OSS) attacks targeting the banking sector.
During the first half of 2023, the firm said its supply chain research team detected several OSS attacks that showcased advanced techniques designed to exploit legitimate services - such as attaching malicious functionalities to specific components of the victim bank’s web assets.
They also deployed deception tactics such as creating fake LinkedIn profiles to feign credibility, as well as using customized command and control (C2) centers for each target.
The malicious open-source packages have since been reported on and removed by Checkmarx – but the company said it does predict a “persistent trend” of attacks against the banking sector’s supply chain to continue.
In the first attack detailed by Checkmarx, which occurred on 5 April and 7 April, a threat actor leveraged the NPM platform to upload packages that contained a preinstall script that executed its objective upon installation.
To appear more credible, the attacker created a spoofed LinkedIn profile page of someone posing as an employee of the victim bank.
Researchers originally thought this may have been linked to legitimate penetration testing services commissioned by the bank, but the bank revealed that to not be the case and that it was unaware of the LinkedIn activity.
The attack itself was modeled on a multi-stage approach which began with running a script to identify the victim’s operating system – Windows, Linux, or macOS.
Don’t just educate: Create cyber-safe behaviour
Read this report to learn about changing employee behavior and improving your organization's security culture.
Once identified, the script then decoded the relevant encrypted files in the NPM package which then downloaded a second-stage payload.
Checkmarx said that the Linux-specific encrypted file was not flagged as malicious by online virus scanner VirusTotal, allowing the attacker to “maintain a covert presence on the Linux systems” and increase its chances of success.
With the second-stage payload, the attacker utilized Azure’s CDN subdomains and bypassed traditional deny list methods before choosing a subdomain on Azure that incorporated the name of the targeted bank to add a layer of credibility.
The attacker used the Havoc Framework for this second stage, an advanced post-exploitation C2 framework that offers attackers tools to modify their strategy on the fly to overcome different challenges in the victim’s environment.
“Havoc’s ability to evade standard defenses, like Windows Defender, makes it a go-to option for threat actors, replacing legitimate toolkits such as Cobalt Strike, Sliver, and Brute Ratel,” Checkmarx said.
The second, unrelated, incident occurred in February 2023 at a separate bank. In this case, the threat actors uploaded a package to the NPM registry containing malicious code designed to blend into the website of the victim bank and lay dormant until triggered.
The attacker was found to have identified a unique element ID in the HTML of the login page and designed their code to latch onto a specific part of the login form, intercept the data, and transmit that to a remote location.
Teaching good cyber security behaviors with Seinfeld
Read this report to learn about overcoming the employee engagement challenge in security awareness training.
“Our rigorous scanning and tracking traced this element to a bank’s mobile login page, the prime target of this attack,” Checkmarx said.
Checkmarx said that due to the nature of modern threats, the traditional approach of relying on vulnerability scanning at the build level is “no longer adequate”.
With attacks predicted to continue, businesses have been advised to shift their strategies towards focusing on proactively securing every stage of the software development lifecycle.
The researchers at the security firm have been actively monitoring OSS attacks for some time. Earlier this year the firm alerted the industry to attacks on the PyPI repository.
In April additional attacks on the NPM registry were also spotted by the team. They saw the JavaScript package manager flooded causing sporadic denial of service.
“We anticipate a steady escalation in targeted attacks, including on banks,” Checkmarx said. “The need of the hour is to stay vigilant, continuously evolve our defenses, and stay a step ahead of the threat actors.
“Checkmarx Supply chain research team is tracking those attacks and will update on any further developments.”
