Threat Actors Target Banks Through Open Source Software Supply Chain
Introduction
In recent incidents, threat actors attempted to introduce malware into the software development environment at two different banks via poisoned packages on the Node Package Manager (npm) registry. These attacks, observed by Checkmarx researchers, represent the first known instances of banks being specifically targeted through the open source software supply chain. These incidents highlight the increasing sophistication of cyberattacks and the need for improved security measures in the financial industry.
Advanced Techniques and Targeting
Checkmarx described the attacks as showcasing advanced techniques, including the targeting of specific components in the web assets of the victim banks by attaching malicious functionalities to them. In April, a threat actor posing as an employee of a target bank uploaded two malicious packages to the npm registry. Checkmarx researchers discovered a LinkedIn profile associated with the package contributor, which suggested that the packages were part of a penetration test being conducted by the bank. However, further analysis revealed a more nefarious intent.
The malicious npm packages contained a pre-install script that executed upon installation on a compromised system. The attack chain involved the script identifying the operating system of the host system and then decrypting the appropriate encrypted files. The decrypted files downloaded a second-stage payload from an attacker-controlled command-and-control (C2) server. The attacker cleverly utilized Azure’s CDN subdomains to deliver the second-stage payload, bypassing traditional deny list methods. To make the attack more credible and harder to detect, the threat actor used a subdomain that incorporated the name of the target bank.
The second attack, which occurred in February, involved a separate threat actor uploading a package containing a malicious payload engineered specifically for the targeted bank. This payload was designed to capture and transmit login credentials entered by users into a specific HTML form on the bank’s website.
Implications and Analysis
These attacks on the open source software supply chain highlight the growing trend of threat actors exploiting supply chain vulnerabilities to compromise organizations. In recent years, there has been a significant increase in attacks on open source repositories, with a 289% surge since 2018, according to a study conducted by ReversingLabs.
The motive behind these attacks is to sneak malicious code into enterprise software development environments, allowing threat actors to steal sensitive data and credentials, install malware, and carry out other malicious activities. In the case of the Checkmarx reported attacks, deploying the Havoc Framework would have given the attackers access to infected machines inside the banks‘ networks. The potential consequences could have included data theft, money theft, ransomware, and more.
Editorial Opinion
The recent attacks on banks through the open source software supply chain emphasize the urgent need for improved vulnerability management and stronger security practices in the financial industry. Banks and other organizations must recognize the critical role that open source software plays in software development and the potential risks associated with it. Mitigating these risks requires a multi-layered approach, including rigorous code review, supply chain monitoring, and secure development practices.
Open source software, while highly beneficial and widely used, is not without its vulnerabilities. It is essential that organizations implement effective security measures to detect and prevent the introduction of malicious code into their software development pipeline. Moreover, financial institutions should prioritize regular employee training and awareness programs to educate developers about the potential risks and best practices for secure coding.
Advice for Banks and Organizations
To protect against supply chain attacks and mitigate the risk of compromised open source packages, organizations should consider the following measures:
1. Implement secure development practices:
Ensure that code repositories and development environments follow industry best practices for secure coding, such as adhering to secure coding guidelines, conducting regular code reviews, and performing vulnerability assessments and penetration testing.
2. Establish strong supply chain management:
Develop a comprehensive supply chain management strategy that includes vetting and monitoring upstream dependencies, verifying the integrity of packages, and implementing automated security checks during the software build and deployment process.
3. Educate and train developers:
Provide regular training and awareness programs to educate developers about potential supply chain vulnerabilities, best practices for secure coding, and the identification of suspicious packages or code.
4. Implement strong access controls:
Enforce strict access controls for code repositories, ensuring that only authorized personnel can make changes or upload packages. Regularly review and revoke access privileges as needed.
5. Stay up to date with security patches:
Stay vigilant for security updates and patches for both in-house and open source software components, ensuring that all systems and dependencies are kept up to date with the latest security patches.
Conclusion
The recent attacks on banks through the open source software supply chain underscore the need for heightened security measures and vigilance in the financial industry. As threat actors continue to evolve their tactics and target specific organizations, it is crucial that banks invest in robust security practices to protect their software development environments and secure sensitive customer data. By adopting a proactive and layered approach to cybersecurity, financial institutions can mitigate the risks of supply chain attacks and defend against evolving threats.
<< photo by Sigmund >>
The image is for illustrative purposes only and does not depict the actual situation.
You might want to read !
- FBI’s Cynthia Kaiser: Unveiling the War Against Ransomware
- The Unseen Threat: Surge in Rootkit Attack Detections Sweeps UAE Businesses
- The Rising Importance of Cybersecurity: Saudi Arabia’s Tuwaiq Academy Launches Bootcamp
- Congress weaves a new technological web for CISA, with expanded role for satellite and open source software oversight
- Moving Beyond the Headlines: Analyzing the Widespread Fallout of the MOVEit Hack
- MOVEit Hack: Assessing the Far-Reaching Impact on Over 340 Organizations
- Protecting the Future: Ensuring Electrical Grid Stability through Secured Digital Substations
- Secure Code Warrior Raises $50M to Revolutionize Software Security Education
- MOVEit Transfer Struggles with Yet Another Major Data Security Flaw
- Microsoft Teams Vulnerability: A New Tool Auto-Delivers Malware
- Secure Code Warrior Raises $50 Million in Funding to Empower Developers with Secure Coding Skills
- The Rise of Secure Code Warrior: Empowering Developers for a More Secure Future
- Revolutionizing Reliability: Mend.io Unveils Open Source Leaderboard to Measure Software Dependability
- The Struggle for Software Supply Chain Security: Mandates vs. Actual Protection
- OWASP SwSec 5D Tool: Evaluating SDLC Maturity for Stronger Software Supply Chains
- How Cycode’s Cimon Can Strengthen Software Supply Chain Security
- “Proton’s Open Source Password Manager: A Game-Changer in Data Security”
- Open Source LLM Projects: Are they Insecure and Risky to Use?
- The Ever-Challenging Dilemma: Prioritizing Patches in the Era of CVSS 4.0
- Protecting Your Digital Fortress: Strategies for Attack Surface Management
- 6 Key Factors to Consider When Selecting an Attack Surface Management Platform
- Expanding Digital Warfare: Leaked Military Emails, Internet Access Restrictions, and the Threat of Chinese Spyware
- Title: Examining Russia’s Lengthy Sentence Demand for Cybersecurity Firm Founder
