In two recent incidents, hackers attempted to introduce malware into the software development environment at two separate banks by using poisoned packages on the Node Package Manager (npm) registry.
Checkmarx researchers, who observed the attacks, believe that these are the first documented cases of threat actors targeting banks through the open source software supply chain. In a recent report, Checkmarx described these attacks as part of a larger trend where banks have become specific targets for cyberattacks.
According to Checkmarx, these attacks demonstrated advanced techniques, including targeting specific components in the web assets of the targeted bank by attaching malicious functionalities to them.
One attack, which occurred in April, involved a threat actor posing as an employee of the target bank and uploading two malicious packages to the npm registry. Checkmarx researchers discovered a LinkedIn profile that suggested the package contributor worked at the target bank, leading them to initially assume that the packages were part of a penetration test conducted by the bank.
The malicious npm packages contained a pre-install script that executed upon installation on a compromised system. The script first identified the operating system of the host system and then decrypted the appropriate encrypted files depending on whether the OS is Windows, Linux, or MacOS. The decrypted files then downloaded a second-stage payload from an attacker-controlled command-and-control server.
To make the attack more credible and less likely to be detected, the threat actor cleverly used subdomains associated with Azure’s Content Delivery Network (CDN) to deliver the second-stage payload. This tactic bypassed traditional deny list methods due to Azure’s status as a legitimate service. Additionally, the threat actor used a subdomain that incorporated the name of the target bank, further enhancing the attack’s credibility.
Checkmarx’s research revealed the second-stage payload to be Havoc Framework, a popular open source penetration testing framework. Havoc has gained popularity among threat actors due to its ability to evade Windows Defender and other standard endpoint security controls.
Deploying the Havoc framework would have given the attacker access to the infected machine inside the bank’s network. The consequences of such access would be dependent on the bank’s defenses and the attacker’s abilities, potentially including data theft, money theft, or ransomware attacks.
In another attack reported by Checkmarx, which occurred in February, a separate threat actor uploaded a package containing a malicious payload to npm. Unlike the April attack, this package was engineered specifically for the targeted bank. It aimed to hook onto a specific login form element on the bank’s website, capturing and transmitting user-entered login information.
Both npm packages exhibited characteristics that made them specific not only to the banking industry but also to the targeted banks themselves. The attackers utilized falsified personas, crafted domains that included the bank’s name, and other tactics to gain credibility and entice bank developers to download the packages. However, if a user unrelated to the bank had downloaded the malicious package, they would have also been infected.
Attacks involving poisoned packages on popular open source repositories and package managers, such as npm and PyPI, have been on the rise in recent years. A study conducted by ReversingLabs found a significant increase in attacks on open source repositories since 2018. These attacks aim to sneak malicious code into enterprise software development environments, with the goal of stealing sensitive data and credentials or installing malware.
The attacks reported by Checkmarx this week highlight the first known instances of banks being targeted specifically in these types of attacks. As cybercriminals continue to exploit vulnerabilities in open source software supply chains, it is crucial for organizations, especially those in the banking sector, to implement robust security measures to protect their software development environments.