Checkmarx has uncovered a new and sophisticated cyber threat targeting the banking sector.
The research team uncovered two distinct open-source software supply chain attacks targeting financial institutions. These attacks, which involved advanced techniques and deceptive tactics, have raised alarm bells among cybersecurity experts.
The first attack occurred during April, 2023 when a threat actor exploited the NPM platform, uploading packages with a preinstall script designed to execute malicious activities upon installation. The contributor behind these packages was linked to a fake LinkedIn profile posing as an employee of the targeted bank. The bank, unaware of the activity, quickly became a victim.
The multi-stage attack involved identifying the victim’s operating system and decoding encrypted files within the NPM package to download a second-stage malicious binary onto the victim’s system. The Linux-specific encrypted file escaped detection by widely-used antivirus services, allowing the attacker to maintain a covert presence on Linux systems.
The Havoc Framework, a powerful post-exploitation command and control tool, played a key role in evading detection. The attacker cleverly used Azure’s CDN subdomains to deliver the second-stage payload—exploiting legitimate domains to bypass traditional defense mechanisms.
The second attack In February 2023, a different group of cybercriminals targeted another bank with a distinct approach. This attack involved uploading a package to NPM containing a carefully crafted payload that blended into the victim bank’s website. The malicious code lay dormant, intercepting login data and transmitting it to a remote location when activated.
These attacks have underscored the inadequacy of traditional vulnerability scanning at the build level. Once a malicious open-source package enters the software development pipeline, it becomes an instant breach, rendering subsequent countermeasures ineffective.
To bolster defenses against these evolving threats, industry-wide collaboration, and proactive security measures throughout the SDLC are essential. Organisations must differentiate between regular vulnerabilities and malicious packages and adopt integrated security architectures to prevent infiltrations proactively.