Experts expect a wave of cyber attacks on the banking sector

In recent months, two banks have been the target of attacks on the open source supply chain, the first of its kind.

By data analysts Checkmarxin separate campaigns in February and April, attackers uploaded packages of malicious scripts to an open source software platform npm.

During one of the attacks, a hacker placed several infected packages with scripts inside that identified the victim’s operating system. Depending on whether it was Windows, linux or macOS, the script decoded the other encrypted files in the package. These files were then used to download malicious code to the target computer.

The attacker who downloaded the packages created a fake LinkedIn* page where he posed as an employee of the target bank. Because of this, Checkmarx researchers thought the bank might be doing penetration testing, but the bank said the npm packages uploaded were not related to the organization. The hacker also created individual command and control servers (Command and Control, C2) for each target.

In another incident, an attacker injected malicious code into an online banking login page. The payload showed that the cybercriminal had determined the unique identifier of the element in HTML-code the login page and developed his own code to fix a specific login form element by stealthily intercepting and exfiltrating the login data.

The malicious packages were removed after they were discovered by researchers, but Checkmarx experts expect “a steady trend of attacks on the banking sector software supply chain.”

Previously, Checkmarx researchers uncovered a campaign in which cybercriminals found a way inject your malicious code into npm packages without changing the source code . The hackers used AWS S3 buckets that were abandoned by their owners and replaced the binaries needed for the packages to work.

Recall that the Russian information security company FACCT recently recorded the attacks of the hacker group RedCurl , known for its activities in the field of commercial espionage and theft of corporate information. The detected attacks were directed at one of the main banks in Russia, which was subjected to cyberattacks twice: the first time using specialized phishing emails on behalf of a major Russian marketplace, and the second time through a bank contractor.

Earlier, we reported that in the first quarter of 2023, credit institutions prevented embezzlement of funds in the amount of 712 billion rubles , reflecting 2.7 million transactions without the consent of the client. 252.1 thousand attacks were successful, as a result of which 4.5 billion rubles were stolen. Most of the victims were individuals who lost money in 251.5 thousand cases. Corporate clients of banks were subjected to 655 attacks, while credit organizations themselves were not affected by the actions of hackers.

* The social network is prohibited on the territory of the Russian Federation.