Rewterz Threat Alert – Banking Sector Targeted In Open-Source Software Supply Chain Attacks – Active IOCs

Severity

High

Analysis Summary

Cybersecurity researchers recently made a significant discovery, identifying what appears to be the first open-source software supply chain attacks specifically aimed at the banking sector. The attackers utilized advanced techniques, including focusing on specific components within the web assets of victim banks by attaching malicious functionalities to them. The published report highlighted the nature of these attacks.

The attackers employed deceptive tactics, including creating a fake LinkedIn profile to appear credible and customizing command-and-control (C2) centers for each target. By exploiting legitimate services, they managed to carry out their illicit activities effectively. The malicious npm packages used in these attacks were later reported and taken down, although their names were not disclosed. In the initial attack, the malware author posed as an employee of the target bank and uploaded packages to the npm registry in early April 2023. These packages contained a preinstall script that triggered the infection sequence. To deliver the second-stage payload, the attackers cleverly utilized Azure’s CDN subdomains, incorporating the name of the targeted bank to bypass traditional deny list methods. 

The second-stage payload, identified as Havoc, is an open-source command-and-control (C2) framework, which the attackers used to evade detection typically associated with the use of other tools like Cobalt Strike, Sliver, and Brute Ratel. 

In another unrelated attack detected in February 2023, targeting a different bank, the adversary uploaded a package to npm designed to blend into the bank’s website and intercept login data covertly. This data was then exfiltrated to an actor-controlled infrastructure.

The importance of supply chain security was highlighted, as once a malicious open-source package enters the software development pipeline, it can lead to an instantaneous breach, rendering subsequent countermeasures ineffective.

“Supply chain security revolves around protecting the entire process of software creation and distribution, from the beginning stages of development to the delivery to the end user.”, they added

Notably, the Russian-speaking cybercrime group RedCurl was involved in breaching a major Russian bank and an Australian company in November 2022 and May 2023, respectively. They carried out multiple attacks on companies from various countries, stealing corporate secrets and employee information through a sophisticated phishing campaign.

Financial institutions have also faced attacks using a web-inject toolkit called drIBAN, which alters legitimate banking transfers performed by users, diverting money to illegitimate accounts controlled by the attackers.

“This escalating gap underscores the urgency to shift our strategy from merely managing malicious packages to proactively preventing their infiltration into our Software Development Lifecycle (SDLC) in the first place.”

These incidents emphasize the critical need for enhanced cybersecurity measures, collaboration between developers, researchers, and organizations, and constant vigilance to protect against emerging threats in the ever-evolving cyber landscape.

Impact

• Security Bypass
• Unauthorized Access
• Reputational Damage

Indicators of Compromise

MD5

• 58a4f9eed576b9bc14e1a06afd52f00e
• 031e48ff1c1c14c73e961773ef32823c
• 5a789786e5996cfdceb8866993b02fd2
• 494bd8c8d2fbdbbb53855cc1a533a1ef
• 087cf30324aae7397d95df39895c521a

SHA-256

• 4eb44e10dba583d06b060abe9f611499eee8eec8ca5b6d007ed9af40df87836d
• d2ee7c0febc3e35690fa2840eb707e1c9f8a125fe515cc86a43ba485f5e716a7
• f4a57a3b28c15376dbb8f6b4d68c8cb28e6ba9703027ac66cbb76ee0eb1cd0c9
• 4e54c430206cd0cc57702ddbf980102b77da1c2f8d6d345093819d24c875e91a
• 79c3d584ab186e29f0e20a67187ba132098d01c501515cfdef4265bbbd8cbcbf

SHA-1

• 921c5c8d5dd416ae69d880b1af9eb52d6c3ab1db
• 7700cf0e7761cbefa40fdfb84dde29bfa4061173
• 626e4db197fb18f8d67ceba5014d28deb54afa75
• 0f6a8dd9c9651ff94f45d916a3a20d210dc3747c
• 5306353bb71410ab2fef5e76805b669e2636040d

Remediation

• Block all threat indicators at your respective controls.
• Search for Indicators of compromise (IOCs) in your environment utilizing your respective security controls
• Maintain cyber hygiene by updating your anti-virus software and implementing a patch management lifecycle.
• Conduct thorough code reviews and dependency analysis to identify and scrutinize all third-party dependencies, including open-source packages. Regularly update and patch these dependencies to mitigate known vulnerabilities.
• Implement a secure Software Development Lifecycle (SDLC) process that incorporates security checks at each stage of software development. This includes secure coding practices, code reviews, and security testing before deployment.
• Enforce the use of two-factor authentication for all employees, especially those with access to critical systems or repositories. This reduces the risk of unauthorized access even if credentials are compromised.
• Ensure the integrity of the software supply chain by verifying the authenticity of packages and repositories. Use digital signatures or checksums to validate software components during installation