Cyber Crime

Experts warn of OSS supply chain attacks against the banking sector

Checkmark researchers have uncovered the first known targeted OSS supply chain attacks against the banking sector.

In the first half of 2023, Checkmarx researchers detected multiple open-source software supply chain attacks aimed at the banking sector. These attacks targeted specific components in web assets used by banks, according to the experts the attackers used advanced techniques.

“On the 5th and 7th of April, a threat actor leveraged the NPM platform to upload a couple of packages containing within them a preinstall script that executed its malicious objective upon installation.” reads the report published by Checkmarx.

The attackers created fake LinkedIn profiles to get in touch with the victims’ employees and used for each target a specific C2. The experts noticed that the contributor behind the malicious packages was linked to a LinkedIn profile page of an individual that was posing as an employee of the victim.

The two malicious npm packages employed in the April 2023 attacks included a preinstall script used to activate the multi-stage attack chain. In the first stage, the script determined the host operating system (Windows, Linux, or macOS) and downloaded the second-stage malware from a remote server by using Azure’s CDN subdomain that include the name of the bank in question.

The use of Azure’s CDN subdomains allows attackers to avoid detection and bypass traditional deny list methods.

The second-stage payload is the Havoc Framework, is provided post-exploitation capabilities like other more popular hacking tools, including Cobalt Strike, Sliver, and Brute Ratel.

In a second attack observed by the company in February 2023, threat actors targeted a different bank. The attackers uploaded a malicious npm package that contained a masterfully crafted payload designed to blend into the website of the victim bank and lay dormant until it was prompted to spring into action.”

“The payload revealed that the attacker had identified a unique element ID in the HTML of the login page and designed their code to latch onto a specific login form element, stealthily intercepting login data and then transmitting it to a remote location.” continues the report.

The experts believe that the two attacks are not linked, the npm packages have been reported and subsequently removed. The names of these packages were not revealed.

Checkmarx believes that we will observe a steady escalation in such kinds of targeted attacks, including on banks. 

The report published by Checkmarx includes indicators of compromise (IoCs) for these attacks.

Follow me on Twitter: @securityaffairs Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, supply chain attack)

Pierluigi Paganini

Pierluigi Paganini is member of the ENISA (European Union Agency for Network and Information Security) Threat Landscape Stakeholder Group and Cyber G7 Group, he is also a Security Evangelist, Security Analyst and Freelance Writer. Editor-in-Chief at "Cyber Defense Magazine", Pierluigi is a cyber security expert with over 20 years experience in the field, he is Certified Ethical Hacker at EC Council in London. The passion for writing and a strong belief that security is founded on sharing and awareness led Pierluigi to find the security blog "Security Affairs" recently named a Top National Security Resource for US. Pierluigi is a member of the "The Hacker News" team and he is a writer for some major publications in the field such as Cyber War Zone, ICTTF, Infosec Island, Infosec Institute, The Hacker News Magazine and for many other Security magazines. Author of the Books "The Deep Dark Web" and “Digital Virtual Currency and Bitcoin”.

Recent Posts

US and allied Governments’ Recommendations: Securing Network Devices Against Russian APT Groups

US and allies warn of Russian APT groups targeting routers and network devices to compromise…

4 hours ago

Chaotic Eclipse Unveils LegacyHive Exploit Affecting Fully Patched Windows Systems

LegacyHive PoC exposes a Windows Privilege Escalation flaw affecting fully patched Windows desktop and server…

6 hours ago

AsyncAPI npm Supply Chain Attack: Malware Injected Into Packages With 2 Million Weekly Downloads

AsyncAPI npm packages with 2M weekly downloads were compromised, spreading malware with info-stealing, crypto-theft and…

11 hours ago

U.S. CISA adds SonicWall and Microsoft flaws to its Known Exploited Vulnerabilities catalog

U.S. Cybersecurity and Infrastructure Security Agency (CISA) adds SonicWall and Microsoft flaws to its Known…

12 hours ago

SonicWall warns of active exploitation of two SMA 1000 zero-days

SonicWall warns of active attacks exploiting two SMA 1000 zero-days, including a flaw enabling arbitrary…

15 hours ago

Patch Tuesday security updates for July 2026, the largest update ever. 621 CVEs in one month

Patch Tuesday: Microsoft fixes a record 621 CVEs, including 2 exploited zero-days and critical flaws…

1 day ago

This website uses cookies.