OSS supply chain attacks targeting the banking sector
In the first half of 2023, Checkmarx's Supply Chain research team detected several open-source software supply chain attacks that specifically targeted the banking sector.
These attacks showcased advanced techniques, including targeting specific components in web assets of the victim bank by attaching malicious functionalities to it.
The attackers employed deceptive tactics such as creating fake LinkedIn profile to appear credible and customised command and control (C2) centres for each target, exploiting legitimate services for illicit activities.
According to the research, the malicious open source packages have been reported on by our team and removed. However, we predict a persistent trend of attacks against the banking sectors software supply chain to continue.
"Current controls aimed at detecting and managing known vulnerabilities fall short in countering these new attacks. Industry-wide collaboration is essential to strengthen our defences against these attacks," Checkmarx says.
"In the rapidly evolving landscape of cybersecurity, adaptability is not just desired, it's necessary for survival.
"The banking industry has recently become the target of a new type of cyber threat. For the first time ever, the industry was explicitly targeted by two distinct open-source software supply chain attacks."
Dissecting Attack Number One
On the 5th and 7th of April, a threat actor leveraged the NPM platform to upload a couple of packages containing within them a preinstall script that executed its malicious objective upon installation.
Employee Spoofing
Interestingly, the contributor behind these packages was linked to a LinkedIn profile page of an individual that was posing as an employee of the targeted bank. Our initial assumption was that this may be a penetration testing exercise by the bank. However, the response we received upon contacting the institution for clarification painted a different picture – the bank wasn't aware of this activity.
Multi-Stage Attack
The first stage of the attack involved the script identifying the victims operating system: Windows, Linux, or Darwin (MacOS). Then, based on the result, the script proceeded to decode the relevant encrypted files included in the NPM package.
Once decoded, these files served a single ominous purpose: downloading a second-stage malicious binary onto the victims system.
Customised Malware to Remain Undetected
During the investigation, Checkmarx discovered that the Linux-specific encrypted file was not flagged as malicious by VirusTotal, a widely used online service for scanning files for known viruses. This allowed the attacker to maintain a covert presence on Linux systems, minimising the risk of detection, and increasing the probability of success.
Exploiting Legitimate Domains to Bypass Defense Mechanisms
The attacker cleverly utilised Azures CDN subdomains to effectively deliver the second-stage payload. This tactic is particularly clever because it bypasses traditional deny list methods, due to Azures status as a legitimate service.
The attacker went a step further, carefully choosing a subdomain on Azure that incorporated the name of the targeted bank. This move not only helped to remain undetected but also added a layer of credibility to the malicious package, thereby increasing the chances of a successful breach.
The Havoc Framework: An Attackers Power Tool
The Havoc Framework was the attackers tool of choice for the second stage of this attack. Crafted by @C5pider, this advanced post-exploitation command and control framework serves as a powerful arsenal for managing, coordinating, and modifying attacks to bypass changing situations, and stringent security measures.
"Havoc's ability to evade standard defences, like Windows Defender, makes it a go-to option for threat actors, replacing legitimate toolkits such as Cobalt Strike, Sliver, and Brute Ratel," Checkmarx says.
Dissecting Attack Number Two A Second Assault: Different Bank, Different Threat Actor
In February 2023, another bank found itself in the crosshairs of a different group of cybercriminals. Unrelated to the first incident, this attack implemented its own unique strategies and techniques which was only picked up by our Machine Learning Engines.
Hooking to the login page
The threat actors uploaded a package to NPM containing a masterfully crafted payload. This malicious code was meticulously designed to blend into the website of the victim bank and lay dormant until it was prompted to spring into action.
The payload revealed that the attacker had identified a unique element ID in the HTML of the login page and designed their code to latch onto a specific login form element, stealthily intercepting login data and then transmitting it to a remote location.
This code hooks itself to a specific login form element on the web page (Line 137) and sends the login data to a remote location (Line 140).
"Our rigorous scanning and tracking traced this element to a banks mobile login page, the prime target of this attack," Checkmarx says.
Shifting Gears in the Perception of Supply Chain Security
Supply chain security revolves around protecting the entire process of software creation and distribution, from the beginning stages of development to the delivery to the end user.
Traditionally, organisations primarily focused on vulnerability scanning at the build level, a practice no longer adequate in the face of todays advanced cyber threats. Once a malicious open-source package enters the pipeline, its essentially an instantaneous breach, rendering any subsequent countermeasures ineffective. In other words, the damage is done.
"This escalating gap underscores the urgency to shift our strategy from merely managing malicious packages to proactively preventing their infiltration into our Software Development Lifecycle (SDLC) in the first place," Checkmarx says.
"In this context, its paramount for organisations to realise that they cannot treat malicious packages the same way as regular vulnerabilities.
"They need to adopt a proactive, integrated security architecture, incorporating protective measures at every stage of the SDLC."
Checkmarx says it anticipates a steady escalation in targeted attacks, including on banks.
"Our primary intention is to shine a light on the Tactics, Techniques, and Procedures (TTP) we have observed and foster collective understanding and awareness of these emerging threats," the company says.
"The need of the hour is to stay vigilant, continuously evolve our defences, and stay a step ahead of the threat actors."