In a recent report, Checkmarx researchers analyzed what they described as the first open source software supply chain attacks targeting the banking industry.
In the first half of the year, two attacks were observed with the threat actors uploading packages to NPM with the first containing a payload designed to latch onto a login form intercepting the login data, and the second containing a preinstall script that executed its objective upon installation. They also leveraged an advanced post-exploitation C2 framework allowing the attackers to evade standard defense tools.
Checkmarx noted that the contributor behind these packages had a LinkedIn profile page of an individual posing as an employee of the targeted bank and they initially assumed it was the bank’s pen testing exercise but discovered it was not. The malicious packages were reported and have since been removed.
“Traditionally, organizations primarily focused on vulnerability scanning at the build level — a practice no longer adequate in the face of today’s advanced cyber threats. Once a malicious open-source package enters the pipeline, it’s essentially an instantaneous breach — rendering any subsequent countermeasures ineffective. This escalating gap underscores the urgency to shift our strategy from merely managing malicious packages to proactively preventing their infiltration,” Checkmarx researchers explained.
I have two comments on this. The first is from Ted Miracco, CEO, Approov Mobile Security:
“While open source reduces R&D costs and enables innovation, its decentralized nature makes it prime for exploitation by bad actors. As this recent attack on the banking industry highlights, most organizations today are dependent upon open source components, and an increasingly complex software supply chain. Businesses and especially financial institutions must vigilantly monitor for malicious packages entering their ecosystem by proactive scanning and reviewing all components and dependencies. The alternative is to just cross your fingers and hope vulnerabilities are found fast enough, which leaves the door open to corrupted code.”
And the second is from Dave Ratner, CEO, HYAS:
“Checkmarx is absolutely correct when they point out that this is just one more example to shift a security strategy from reactive to proactive. With advanced social engineering, and the wide use of cloud and open source in all sectors, infiltration via supply-chain attacks are becoming increasingly common and are far too difficult to detect with traditional mechanisms; nevertheless, knowledge of adversary infrastructure and what is and isn’t command-and-control (C2) can help provide the proactiveness that organizations require. A proper Protective DNS solution can detect the beaconing activity to C2 and ensure that these instantaneous breaches are rendered inert before the attack takes hold.”
Open source is thought to solve all problems. And it can. But it isn’t risk free. Companies who choose to use open source to run their business need to know and mitigate the risks.