Introduction
In a significant development in the cybersecurity landscape, the banking sector has recently been the target of two distinct open-source software (OSS) supply chain attacks. These attacks, detected by Checkmarx’s Supply Chain research team in the first half of 2023, have showcased advanced techniques and deceptive tactics, including the use of fake LinkedIn profiles and customized command and control (C2) centers for each target. This blog post provides a detailed overview of these attacks, their implications, and the need for industry-wide collaboration to strengthen defenses against such threats.
Attack Number One
On April 5th and 7th, a threat actor leveraged the NPM platform to upload packages containing a preinstall script that executed its malicious objective upon installation. The contributor behind these packages was linked to a LinkedIn profile page of an individual posing as an employee of the targeted bank. The attack involved multiple stages, including the identification of the victim’s operating system, decoding of encrypted files included in the NPM package, and downloading a second-stage malicious binary onto the victim’s system.
The attacker utilized Azure’s CDN subdomains to effectively deliver the second-stage payload, bypassing traditional deny list methods. The Havoc Framework, an advanced post-exploitation command and control framework, was used in the second stage of this attack.
Attack Number Two
In February 2023, a different bank was targeted by a separate group of cybercriminals. The threat actors uploaded a package to NPM containing a payload designed to blend into the website of the victim bank and lay dormant until prompted to action. The payload was designed to latch onto a specific login form element, stealthily intercepting login data and then transmitting it to a remote location.
Shifting Gears in the Perception of Supply Chain Security
These attacks underscore the urgency to shift our strategy from merely managing malicious packages to proactively preventing their infiltration into our Software Development Lifecycle (SDLC) in the first place. Organizations need to adopt a proactive, integrated security architecture, incorporating protective measures at every stage of the SDLC.
Conclusion
We anticipate a steady escalation in targeted attacks, including on banks. The need of the hour is to stay vigilant, continuously evolve our defenses, and stay a step ahead of the threat actors.
Indicators of Compromise (IOCs)
- 4eb44e10dba583d06b060abe9f611499eee8eec8ca5b6d007ed9af40df87836d
- d2ee7c0febc3e35690fa2840eb707e1c9f8a125fe515cc86a43ba485f5e716a7
- f4a57a3b28c15376dbb8f6b4d68c8cb28e6ba9703027ac66cbb76ee0eb1cd0c9
- 4e54c430206cd0cc57702ddbf980102b77da1c2f8d6d345093819d24c875e91a
- 79c3d584ab186e29f0e20a67187ba132098d01c501515cfdef4265bbbd8cbcbf
- hxxp[:]//*.azureedge[.]net/AnnyPhaedra.bin
- hxxp[:]//*.azureedge[.]net/KellinaCordey.bin
- hxxp[:]//*.azureedge[.]net/MidgeWileen.bin
MITRE ATT&CK TTPs
The relevant MITRE ATT&CK TTPs for these attacks include:
- T1190: Exploit Public-Facing Application: The attackers exploited public-facing applications (NPM platform) to upload malicious packages.
- T1566: Phishing: The attackers created fake LinkedIn profiles to appear credible.
- T1105: Ingress Tool Transfer: The attackers transferred malicious tools onto the victim’s system.
- T1071: Application Layer Protocol: The attackers utilized Azure’s CDN subdomains to deliver the second-stage payload.
- T1059: Command and Scripting Interpreter: The attackers used scripts to execute their malicious objectives.
- T1003: OS Credential Dumping: The attackers intercepted login data and transmitted it to a remote location.
- T1195: Supply Chain Compromise: The attackers compromised the software supply chain to deliver malicious payloads.