Open-source supply chain attacks expand to the banking sector
Two banks have been targeted by open-source software supply chain attacks in recent months in what researchers are calling the first such incidents of their kind.
In separate operations in February and April, the perpetrators uploaded packages carrying malicious scripts to the npm open-source software platform, analysts at Checkmarx said.
In one attack, a hacker posted several infected packages with scripts inside that identified the victim’s operating system. Depending on if it was Windows, Linux, or MacOS, the script decoded other encrypted files in the package.
Those files were then used to download malicious code onto a targeted computer. The attacker who uploaded the packages created a fake LinkedIn page in which they pretended to be an employee of the targeted bank. Because of this, Checkmarx researchers thought the bank may be conducting penetration testing, but when they contacted the company the institution was unaware of the software.
The hackers also created customized command and control centers for each target.
In the other incident, hackers targeted the login page of a bank, where they planted malicious code that “lay dormant until it was prompted to spring into action.”
“The payload revealed that the attacker had identified a unique element ID in the HTML of the login page and designed their code to latch onto a specific login form element, stealthily intercepting login data and then transmitting it to a remote location,” the researchers wrote.
The malicious packages were removed after their discovery by researchers, but Checkmarx said it expects “a persistent trend of attacks against the banking sector’s software supply chain to continue.”
Concerns about the safety of open-source software have been at the fore in recent months. Earlier this year, the House Homeland Security Committee approved the Securing Open Source Software Act, which directs the Cybersecurity and Infrastructure Security Agency to ensure that open-source software used by the government and critical infrastructure entities is safe.
The bill was crafted in response to a vulnerability in Log4j, a popular open-source logging tool whose exploitation wreaked havoc worldwide.
James Reddick
has worked as a journalist around the world, including in Lebanon and in Cambodia, where he was Deputy Managing Editor of The Phnom Penh Post. He is also a radio and podcast producer for outlets like Snap Judgment.