Cybersecurity researchers have unveiled the first-ever open-source software supply chain attacks targeting the banking sector, as detailed by a report from Checkmarx. The attackers demonstrated advanced methods, including targeting specific web components of victim banks by adding malicious functionalities. They used deceptive measures like creating fake LinkedIn profiles to seem legitimate and establishing bespoke command-and-control (C2) centers for each victim, exploiting genuine services for malicious purposes. In one attack, the assailant posed as a bank employee and uploaded malicious npm packages that would trigger a malware download from an Azure subdomain, cleverly bypassing standard denial lists due to Azure’s legitimacy. The malware used was Havoc, an open-source C2 framework, which has gained attention from malicious actors.
In a separate February 2023 attack on a different bank, a malicious npm package was uploaded, designed to seamlessly integrate into the bank’s website and remain undetected until activated to steal login data. Checkmarx emphasized the importance of supply chain security, noting the irreparable damage once a harmful open-source package enters the system. Meanwhile, the Russian-speaking cybercrime group, RedCurl, breached several entities, including a major Russian bank, siphoning corporate secrets and employee data. Over the past several years, RedCurl has attacked numerous companies globally, predominantly in Russia. There’s also an increasing trend of attacks on financial institutions using web-inject toolkits like drIBAN to execute unauthorized transactions, sidestepping banks’ identity verification and anti-fraud systems.