Experts warn of OSS supply chain attacks against the banking sector

9 months ago AndyC

Checkmark researchers have uncovered the first known targeted OSS supply chain attacks against the banking sector.
In the first half of 2023, Checkmarx researchers detected multiple open-source software supply chain attacks aimed at the banking sector.

Experts warn of OSS supply chain attacks against the banking sector

Checkmark researchers have uncovered the first known targeted OSS supply chain attacks against the banking sector.

In the first half of 2023, Checkmarx researchers detected multiple open-source software supply chain attacks aimed at the banking sector. These attacks targeted specific components in web assets used by banks, according to the experts the attackers used advanced techniques.

“On the 5th and 7th of April, a threat actor leveraged the NPM platform to upload a couple of packages containing within them a preinstall script that executed its malicious objective upon installation.” reads the report published by Checkmarx.

The attackers created fake LinkedIn profiles to get in touch with the victims’ employees and used for each target a specific C2. The experts noticed that the contributor behind the malicious packages was linked to a LinkedIn profile page of an individual that was posing as an employee of the victim.

The two malicious npm packages employed in the April 2023 attacks included a preinstall script used to activate the multi-stage attack chain. In the first stage, the script determined the host operating system (Windows, Linux, or macOS) and downloaded the second-stage malware from a remote server by using Azure’s CDN subdomain that include the name of the bank in question.

The use of Azure’s CDN subdomains allows attackers to avoid detection and bypass traditional deny list methods.

The second-stage payload is the Havoc Framework, is provided post-exploitation capabilities like other more popular hacking tools, including Cobalt Strike, Sliver, and Brute Ratel.

supply chain attack banking sector

In a second attack observed by the company in February 2023, threat actors targeted a different bank. The attackers uploaded a malicious npm package that contained a masterfully crafted payload designed to blend into the website of the victim bank and lay dormant until it was prompted to spring into action.”

“The payload revealed that the attacker had identified a unique element ID in the HTML of the login page and designed their code to latch onto a specific login form element, stealthily intercepting login data and then transmitting it to a remote location.” continues the report.

supply chain attack banking sector 2

The experts believe that the two attacks are not linked, the npm packages have been reported and subsequently removed. The names of these packages were not revealed.

Checkmarx believes that we will observe a steady escalation in such kinds of targeted attacks, including on banks. 

The report published by Checkmarx includes indicators of compromise (IoCs) for these attacks.

Follow me on Twitter: @securityaffairs Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, supply chain attack)



About Author

AndyC

Andy Curtis is an award-winning security consultant, researcher and public speaker. He has been working in the computer security industry since the early 1990s, having been employed by state and federal government, leading healthcare and banking providers across three continents. He has given talks about computer security for some of the world’s largest companies, worked with law enforcement agencies on investigations into hacking groups, and is a regular voice on TV and radio explaining IT security threats.

See author's posts

Tags: , , , , , , , , , , , , , , , , , , , , , ,

More Stories

Friday Squid Blogging: Searching for the Colossal Squid

9 hours ago AndyC
Experts warn of malware campaign targeting WP-Automatic plugin

Experts warn of malware campaign targeting WP-Automatic plugin

15 hours ago AndyC
Cryptocurrencies and cybercrime: A critical intermingling

Cryptocurrencies and cybercrime: A critical intermingling

21 hours ago AndyC
Kaiser Permanente data breach may have impacted 13.4 million patients

Kaiser Permanente data breach may have impacted 13.4 million patients

21 hours ago AndyC
+1,400 CrushFTP servers vulnerable to CVE-2024-4040

+1,400 CrushFTP servers vulnerable to CVE-2024-4040

21 hours ago AndyC

Long Article on GM Spying on Its Cars’ Drivers

21 hours ago AndyC

You may have missed

Bogus npm Packages Used to Trick Software Developers into Installing Malware

Bogus npm Packages Used to Trick Software Developers into Installing Malware

3 hours ago AndyC

Friday Squid Blogging: Searching for the Colossal Squid

9 hours ago AndyC
Showcasing Artwork by Max for Autism Awareness Month

Showcasing Artwork by Max for Autism Awareness Month

9 hours ago AndyC

How to Remove Personal Information From Data Broker Sites

15 hours ago AndyC
Experts warn of malware campaign targeting WP-Automatic plugin

Experts warn of malware campaign targeting WP-Automatic plugin

15 hours ago AndyC

Subscribe To InfoSec Today News

You have successfully subscribed to the newsletter

There was an error while trying to send your request. Please try again.

World Wide Crypto will use the information you provide on this form to be in touch with you and to provide updates and marketing.