Securing the Software Supply Chain in the Banking Sector

The banking sector has always faced unique challenges due to the sensitive nature of financial data and the constant threat of cyberattacks. Off late, there have been reports of an emerging open-source software supply chain attacks specifically targeting banks, highlighting  the need for comprehensive security measures for more protection. 

Before getting into details, let’s check out what these open-source software packages are and how they’re used to distribute third-party software and libraries. These packages are from external repositories through package managers or installer programs. In this age of open source, this is one of the risks that it presents via infiltration of malicious packages.

A malicious package can be disguised as legitimate software, containing malware designed to compromise software systems. Once a malicious package infiltrates a system, it can execute a range of malicious commands, such as stealing sensitive data, disabling security software, modifying or deleting files, and gaining unauthorized access to systems or networks.

What’s been happening lately?

The recently reported attacks employed advanced techniques, including targeting specific components in web assets of victim banks and using deceptive tactics to appear credible and evade detection. In one such instance, the hacker posed as an employee of the targeted bank and uploaded malicious packages to a popular software registry for JavaScript packages. 

The packages contained a pre-install script that activated the infection sequence. To further deceive their targets, the hacker created a fake LinkedIn profile to appear more credible. Once launched, the script determined the host operating system and downloaded second-stage malware from a remote server using a subdomain on Azure, a legitimate service. The second-stage payload, known as Havoc, is an open-source command-and-control framework used to evade detection.

Another attack involved the upload of a meticulously designed package to npm, which blended into the victim bank’s website and remained dormant until triggered. This package covertly intercepted login data and exfiltrated the information to an actor-controlled infrastructure.

Popular Vectors for Malicious Packages

Malicious packages can exploit various vectors to infiltrate software systems. It is crucial for organizations to understand these vectors and implement proactive measures to defend against them. Here are a few examples: 

• Brand-jacking: Brand-jacking occurs when an attacker assumes the online identity of a legitimate package owner. By impersonating a trusted source, attackers can distribute malicious packages that appear legitimate.
• Typo-squatting: Typo-squatting involves publishing a malicious package with a name similar to a popular package. The attacker relies on users unintentionally fetching the malicious version due to typographical errors or misspellings.
• Dependency Hijacking and Dependency Confusion: These attacks exploit the substitution of malicious packages for legitimate versions. Attackers take advantage of vulnerabilities in package management systems to inject malicious code into software dependencies

Protecting against malicious packages 

Given the critical importance of securing the software supply chain, organizations in the banking sector must adopt proactive measures to mitigate the risks associated with malicious packages. Here are three key strategies to consider:

• Validate the Libraries You Download: Before installing any software package, it is essential to validate its reputation and trustworthiness. Look for signs of fake accounts or impersonations, and verify the legitimacy of the package’s source. Conduct thorough research and check community activity, security history, and project owner reputation to identify potential red flags.
• Review Package Ownership and Maintenance: Exercise caution when using packages that have recently changed maintainers, as this could indicate a potential security risk. Be wary of significant changes in functionality between different versions of a package, as these changes may indicate the introduction of malicious code.
• Use NPM Security Tools: Leverage the security tools provided by npm, such as the npm audit and npm shrinkwrap commands. These tools can help prevent the installation of malicious packages by identifying and alerting developers to potential vulnerabilities or security issues.

A broader approach is the need of the hour

While organizations have become more aware of the importance of tracking dependencies and resolving known vulnerabilities, attackers are becoming increasingly creative in their approaches. To enhance software supply chain security, application security teams must consider not only the presence of known vulnerabilities but also the origin and behavior of open-source libraries. Factors such as project owner reputation, community activity, and security history can help identify problematic dependencies.

As the threat landscape evolves, industry-wide efforts to establish component provenance and enhance software supply chain security practices will become more standardized. This comprehensive approach will ensure the integrity and security of software systems, particularly in high-risk sectors like banking.

With the prevalence of open-source software and the increasing sophistication of cyber threats, securing the software supply chain has become an imperative for organizations across industries. By adopting proactive measures, regularly validating libraries, reviewing package ownership and maintenance, and leveraging security tools, organizations can safeguard their systems against the risks posed by malicious packages.

(This article is authored by Phillip Ivancic, APAC head of solution strategy, Synopsys Software Integrity Group, and the views expressed are his own and may not necessarily reflect those of the publication)