Banking Sector Witnesses First-Ever OSS Supply Chain Attack

Unveiling the first incident

• The first attack took place between April 5 and April 7, wherein a threat actor posed as an employee of the target bank and uploaded a couple of malicious packages containing pre-installed scripts onto the NPM registry. To avoid suspicion, the attacker had also created a fake LinkedIn page for the purported bank employee.
• Once executed, the script determined the type of OS (Windows, Linux, or macOS) used on the victim’s system and proceeded to download second-stage malware from a remote server by using a subdomain on Azure that incorporated the name of the target bank. 
• Furthermore, the attacker leveraged an advanced post-exploitation tool, the Havoc framework, to evade defenses, such as Windows Defender, in the second stage of the attack. 

About the second incident

• In the second attack detected in February, the adversary added malicious code to an NPM package meant to blend into the website of the victim bank and lay dormant until it was prompted to spring into action.
• The malicious code was specifically designed to covertly intercept login data and exfiltrate the details to an actor-controlled infrastructure. 

What does this indicate?

• Traditionally, organizations primarily focused on scanning for vulnerabilities when packages reached the building level in the Software Development Lifecycle (SDLC). However, these practices are not enough in the face of today’s advanced cyber threats.
• As threat actors evolve their attack tactics to launch software supply chain attacks, it’s paramount for organizations to realize that they need to shift to proactive strategies to prevent malicious packages from entering the SDLC in the first place. 
• They need to proactively adopt new protective measures and integrate security architecture to prevent infiltration at every stage of the lifecycle. 

Conclusion