The TTPs of JavaScript Supply Chain Attacks

28 April 2022

Recent research studies demonstrate that software supply chain attacks are on the upswing—by almost 300% in 2021 alone. To avoid attacks related to open-source libraries and JavaScript, businesses need to understand the tactics, techniques, and procedures (TTPs) associated with JavaScript supply chain attacks.

Problems with the JavaScript Supply Chain Begin with JavaScript

In our new white paper: Guide to Preventing JavaScript Supply Chain Attacks, we discuss how malicious or vulnerable JavaScript can damage organizations and their users via the software supply chain.

JavaScript was not designed with security in mind, making JavaScript exploitation a common threat tactic. The most frequent objective of criminals involves stealing sensitive information, such as PII, end-user data, credit card numbers, or other types of healthcare or financial information.

Intentionally malicious JavaScript can end up in web applications when:

  • Threat actors alter existing JavaScript or inject malicious code directly into the current web application.
  • Flawed or intentionally malicious JavaScript finds its way onto a web application via the software supply chain.

It is the second concern—when malicious code hits the supply chain connecting code to front-end web applications—that has the potential to significantly damage numerous connected businesses and their users.

Digging Into the TTPs

Understanding the TTPs used by threat actors when it comes to JavaScript supply chain attacks is imperative to the security analysis process.

The Basics: What Are TTPs?

Tactics, techniques, and procedures—otherwise known as TTPs—help security teams better understand threat actors and detect and mitigate attacks.

Tactics are the way threat actors go about carrying out an attack. For example, on the front end or client side, an attack tactic might be using vulnerable JavaScript to gain access to sensitive data as part of a Magecart attack.

Techniques are the methods that cybercriminals use to achieve their objectives. In a client-side attack, the tactics might be cross-site scripting (XSS).

Procedures involve the steps threat actors take to move the attack through the attack lifecycle. For example, in an e-skimming attack, the threat actor may capture the data from a form on a compromised website, send the exfiltrated data to a command and control (C2) server, and then sell the stolen data on the dark web.

Three JavaScript Supply Chain Attack Tactics

Let’s talk tactics first. In our new white paper: Guide to Preventing JavaScript Supply Chain Attacks, we discuss these predominate JavaScript supply chain attack tactics:

E-skimming, Formjacking, & Magecart Attacks

E-skimming, formjacking, and Magecart are all client-side attacks. The attack tactics are fairly straightforward: malicious code on a web application is used to exfiltrate information belonging to end users (e.g., credit card data inputted into check-out pages on shopping websites). The stolen data is then sold on the dark web.

JavaScript Injection

In a JavaScript Injection attack, threat actors alter the code through direct injection into existing scripts. Like e-skimming attacks, this enables the attacker to collect sensitive data.

JavaScript Sniffers

JavaScript sniffers operate through techniques like cross-site scripting (XSS). Threat actors may also use phishing attacks focused on the website administrator to access the website’s control panel. In a real-world example, over the course of five years, the UltraRank criminal group led sniffing attacks on more than 700 e-commerce sites and 13 third-party suppliers globally.

The JavaScript Supply Chain Attack Process

JavaScript Supply Chain Attack Techniques

Among the techniques involved in supply chain attacks, the MITRE ATT&CK framework describes supply chain compromise as a sub technique, with compromise occurring at any point along the supply chain. Among those compromise areas listed by MITRE, several relate specifically to client-side JavaScript concerns:

  • Manipulation of development tools–JavaScript contains no built-in security permissions, making manipulation of the code itself easy. 
  • Manipulation of source code in open-source dependencies—Multiple recent studies have found that third-party and open-source libraries harbor vulnerable and sometimes intentionally malicious code.
  • Replacement of legitimate software with modified versions—Modifications to JavaScript code may be malicious, but not always. Introduce vulnerabilities that open a web application up to exploitation.

White Paper Highlights: Guide to Preventing JavaScript Supply Chain Attacks

In our new white paper, we cover the TTPs, along with other issues related to JavaScript supply chain attacks. Highlights from Feroot’s new white paper include:

  • The common themes associated with JavaScript supply chain attacks.
  • Differences between client side and server side and why businesses need to prioritize client-side security.
  • Client-side attacks and the supply chain—which can’t be ignored.
  • Common JavaScript exploits.
  • JavaScript supply chain attacks impacts.
  • Preventing JavaScript supply chain attacks.

Learn More

If you maintain a web application, protecting your end users is critical to your business model. It begins with understanding the threats related to the JavaScript supply chain. Download this free white paper Guide to Preventing JavaScript Supply Chain Attacks to learn more about the JavaScript supply chain attacks and their TTPs.

Free Assessment

Security for Everyone that Visits Your Website

Find out if your web application is hiding vulnerable, malicious, or dangerous code that could damage your customers and your business. No payment information required.