Connect with us

Hi, what are you looking for?

Cyber Security

First-ever Open-Source Software Supply Chain Attacks Targeting Banking Sector

Recent reports indicate that the banking sector has become the focus of threat actors utilizing an emerging supply chain attack. Two distinct incidents have been identified, with each involving unique tactics and threat actors.

Organizations implement vulnerability scanning only during the Software Development Life Cycle (SDLC) development phase, which is inadequate for the current threats organizations face.

This was the first instance where two open-source software supply-chain attacks were explicitly identified.

First Incident in Banking Sector

The first incident in early April involved a couple of npm packages that were developed and uploaded by the threat actor. These packages include a preinstall script which gets executed during installation.

The contributor of this package was linked to a LinkedIn profile which was spoofed as the employee of the targeted bank.

Spoofed Linkedin Profile (Source: Checkmarx)

Once the malicious package gets executed, it initially collects information about the operating system which is used for decoding relevant encrypted files.

After decoding, the encrypted files are then used to download a second-stage malicious binary.

Furthermore, VirusTotal, a widely used malware scanning tool, did not detect the Linux-specific second-stage binary.

This adds advantage to the threat actor to remain undetected and succeed in infiltration.

VirusTotal not detecting the malware (Source: Checkmarx)

In addition to this, the threat actor was using a subdomain in Azure which was incorporated with the name of the targeted bank. This served as a great potential attacking surface as Azure’s domains are whitelisted by default.

Finally, the attacker used the Havoc Framework for the second stage of the attack. Havoc Framework was developed by @C5pider which is an advanced post-exploitation framework capable of management, coordination, and modification of attacks.

Summary of the attack (Source: Checkmarx)

Second Incident

The second attack was in February 2023 in which another bank was targeted by a different threat group completely irrelevant to the April attack.

However, this attack also involved a masterfully crafted NPM package that is designed in such a way that it lies inactive on the login page of the bank and doesn’t act unless triggered.

Further investigations revealed that the payload had a unique Element ID in the HTML of the login page and attached itself to a specific login form element which prevents it from getting detected and collecting login data.

Later, the element was traced back to a mobile login page of the bank which was the prime target of the threat actors.

Payload of the login form (Source: Checkmarx)
Summary of the attack (Source: Checkmarx)

Indicators of Compromise

  • 4eb44e10dba583d06b060abe9f611499eee8eec8ca5b6d007ed9af40df87836d
  • d2ee7c0febc3e35690fa2840eb707e1c9f8a125fe515cc86a43ba485f5e716a7
  • f4a57a3b28c15376dbb8f6b4d68c8cb28e6ba9703027ac66cbb76ee0eb1cd0c9
  • 4e54c430206cd0cc57702ddbf980102b77da1c2f8d6d345093819d24c875e91a
  • 79c3d584ab186e29f0e20a67187ba132098d01c501515cfdef4265bbbd8cbcbf
  • hxxp[:]//*[:]azureedge[:]net/AnnyPhaedra.bin
  • hxxp[:]//*[:]azureedge[:]net/KellinaCordey.bin
  • hxxp[:]//*[:]azureedge[:]net/MidgeWileen.bin

It is recommended for organizations to look into their security measures and develop them to prevent this kind of supply-chain attack. 

Source: https://cybersecuritynews.com/first-ever-open-source-supply-chain-attack/

Click to comment

Leave a Reply

Your email address will not be published. Required fields are marked *

You May Also Like

Cyber Security

In recent findings from Check Point Research, a significant phishing attack targeting more than 40 prominent Colombian companies has been uncovered.  The attackers behind this campaign...

Cyber Security

According to recent reports, a threat actor has compromised the confidential information of 3,200 Airbus vendors. The exposed data includes sensitive details such as...

Cyber Security

A group of Researchers unearthed critical code Proton Mail vulnerabilities that could have jeopardized the security of Proton Mail, a renowned privacy-focused webmail service. ...

Cyber Security

Telegram Messenger offers global, cloud-based instant messaging with several features:- Cybersecurity researchers at Securlist recently found several Telegram mods on Google Play in various...

Copyright © 2023 Newsworthy News | Global | Political | Local | All News | Website By: Top Search SEO