Reported by Checkmarx, the attackers used malicious packages uploaded to NPM (no shock there). The campaign included some very specific items that allowed the group to focus their efforts on particular banks. These tactics included social engineering steps like creating faked LinkedIn profiles and posing as members of the targeted Bank. This made the malicious packages in NPM more likely to be downloaded and used by the target. Inside the package was a preinstall script that began the infection process.
Once the script ran it identified the OS on the host and then downloaded the second stage payload for the proper platform. To get around any potential URL checking, the threat group used subdomains from Azure that included the name of the targeted bank. The payload used here is not the normal Cobalt Strike, but is a new payload dubbed Havoc. Havoc has seen increased interest from threat groups because it is not one of the more looked for payloads and might clip past rules and detection sets that are looking specifically for payloads like Cobalt Strike. Once Havok is installed the C2 framework is in place.
Banks, Mortgage Companies, and other financial institutions are coming under increasing attacks. The vectors are different for each of the verticals inside the financial industry, but the effects are the same. As threat groups increase their focus on the supply chain, edge devices, while not reducing pressure on the endpoint and user vector they are applying more pressure than these organizations can keep up with. This is all at a time when cybersecurity spending and staffing is being cut due to economic factors. Companies need to remain focused on cybersecurity especially in a down economy as Checkmarx put it; “In the rapidly evolving landscape of cybersecurity, adaptability is not just desired - it’s necessary for survival. The banking industry has recently become the target of a new type of cyber threat. For the first time ever, the industry was explicitly targeted by two distinct open-source software supply chain attacks.”
Most people that are following the ripples in the threat landscape know that there must be a shift in how cybersecurity is handled. It cannot be business as usual with pen tests, general vulnerability scans and EDR. The change must be more complete and include the entire software and machine lifecycle. If an organization develops or maintains their own software, they need to have extra steps to proactively prevent supply chain attacks from entering their own development cycles, if you are buying or paying someone else to do these tasks, you need to ensure those companies provide you with evidence that they are following these practices as well (SBOM documentation).
The key to protecting against this attack on all sides strategy that threat groups are using is adaptability and proper resourcing. Being inflexible and not having the right resources is a great way to remain open to attack and to continue to contribute to the already target rich environment that attackers have.
Stay safe out there.