THREAT-INFORMED DEFENSE IN OPERATIONAL TECHNOLOGY (OT) SYSTEMS

Picture 1, Hình ảnh

1. Threat-Informed OT Security: A Strategic Imperative

1.1. The Modern Landscape

Cybercriminal networks now operate with the structure and agility of modern enterprises.
Emerging business models such as Crime-as-a-Service (CaaS) and Reconnaissance-as-a-Service (RaaS) significantly accelerate the speed and complexity of cyberattacks.
Artificial Intelligence (AI) is further amplifying these threats by automating and optimizing attacks on Operational Technology (OT) environments.

1.2. Challenges in OT Systems

OT systems control physical processes, requiring continuous operation and high precision.
These systems often run outdated and unpatched software, exposing critical vulnerabilities.
The convergence of IT and OT increases exposure to supply chain threats and physical sabotage.

1.3. AI’s Role in OT Attack Campaigns

  • AI facilitates automated reconnaissance and attack planning by analyzing ICS/SCADA systems.
  • AI-powered fuzzing accelerates the discovery of new vulnerabilities.
  • Post-compromise, AI supports lateral movement automation, enabling stealthy network propagation.

1.4. Proposed Defense Strategy

  • Adopt Threat-Informed Defense: Leverage real-world threat intelligence to continually update defensive Tactics, Techniques, and Procedures (TTPs).
  • Enhance Security Automation: Deploy SOAR (Security Orchestration, Automation, and Response) to automate threat detection and incident response.
  • Bridge IT-OT Security: Implement an integrated cybersecurity framework that ensures unified governance and operational safety.

2. Malicious NPM Packages Targeting PayPal Developers

2.1. Campaign Overview

Researchers at Fortinet uncovered malicious NPM packages disguised as legitimate OAuth2 PayPal libraries.
Target: Steal login credentials and compromise PayPal accounts of developers.

2.2. Attack Mechanism

  • Preinstall Hook: Malware is executed during the installation process via npm scripts.
  • Data Exfiltration: Sensitive data is harvested and transmitted over encrypted HTTPS channels.
  • Persistence: Some variants establish cronjobs to maintain long-term access.

2.3. Identified Malicious NPM Packages

  • oauth2-paypal
  • paypal-oauth
  • paypal-node-sdk
  • paypalsdk-node
  • nodejs-paypal-authPicture 2, Hình ảnh

2.4. Malware Technical Analysis

  • Obfuscation: Source code is heavily obfuscated using multi-layered Base64 encoding.
  • Payload: Malicious bash scripts scan for sensitive files (e.g., .env) and system configurations.
  • Command & Control (C2): Uses masked domains via cloud hosting services like Heroku and Netlify.

Figure 5: The author published numerous malicious packages in a short time., Hình ảnh

2.5. Defense Recommendations

  • Audit dependencies regularly: Use tools like npm audit and FortiDevSec.
  • Source packages from verified developers only: Always verify open-source code or use trusted mirrors.
  • Monitor install behavior: Apply sandbox environments to auto-analyze new npm packages.

Indicators of Compromise (IOCs)

File Hash (sha256) Detection 
bankingbundleserv_1.20.0 796deae716a6d66b49a99d00e541056babe34fd2fcbcea0380491de4b792afba Bash/TommyBoy.A!tr 
buttonfactoryserv-paypal_3.50.0 18e45358462363996688ceabfc098e17f855d73842f460b34c683e58c728149f Bash/TommyBoy.A!tr 
buttonfactoryserv-paypal_3.99.0 88bd580aa51129e4e5fa69e148131874c862015e7c51d59497e11f22db2d72c6 Bash/TommyBoy.A!tr 
tommyboytesting_1.0.1 23664decf3c2f28a3f552dc98d90017926617969713ccccdc9f5fd3178d76dbf Bash/TommyBoy.A!tr 
tommyboytesting_1.0.2 ba63fbf6f7bab000bc1b1bf92319415328cea238872450adbaac6a6069132779 Bash/TommyBoy.A!tr 
tommyboytesting_1.0.5 f359b687fb9e1a4c27fdf5174380abc9877f940ef6a6fd4d38e9ef40bb778107 Bash/TommyBoy.A!tr 
tommyboytesting_1.0.6 815ebfc4fb5bddf1f9ca1b12ae2a1b0e37736a93ea9babe858747096ad9ce671 Bash/TommyBoy.A!tr 
tommyboytesting_1.0.7 d21ae84e104a305b5aebee8e6fbb4837976ef26935dac90372637f913ef58154 Bash/TommyBoy.A!tr 
tommyboytesting_1.0.8 0c006540abcb768cad80a1a8ced926fa58f10cf9eb0be16c4185850df83bff82 Bash/TommyBoy.A!tr 
tommyboytesting_1.0.9 847e684a228292dc905205d7353ed9458e10129105fe3b387c4e9374d6afd783 Bash/TommyBoy.A!tr 
tommyboytesting_1.0.10 ed6a350c4b1baa6f098293c328d0a62d35aafb4ab62b93e6f3a611f06be9aa29 Bash/TommyBoy.A!tr 
tommyboytesting_1.0.11 123480357ab54d2c2067640105b5683445777ae1d20fd52551a5df9327692103 Bash/TommyBoy.A!tr 
tommyboytesting_1.0.12 3710742057e470e8882a84412721ed19652e3f13977af21a937bad27d75b6f96 Bash/TommyBoy.A!tr 
compliancereadserv-paypal_2.1.0 dd1a177126d48072381db98af74c964100c8ef2e43286f3a31114461251a164c Bash/TommyBoy.A!tr 
oauth2-paypal_0.6.0 0d8c5bb69c567e3949cc6e087610d79c886d9140d0eda88cc92d3ec63fb7a3b9 Bash/TommyBoy.A!tr 
oauth2-paypal_1.6.0 b6bc001bc9b4171a27fb2a485cb3e3d8f23bc1ee6b4a03bbcfbba63b7d208477 Bash/TommyBoy.A!tr 
oauth2-paypal_2.6.0 2c7bf841a659fa1d8105d26f6664ebc3a78b99e0c071eb7f529503346c40f778 Bash/TommyBoy.A!tr 
oauth2-paypal_4.8.0 cbbe1d5a7d4a721c61b9c3b8b6a8e5d65508f02c70e708698d8165d92e154383 Bash/TommyBoy.A!tr 
oauth2-paypal_7.5.0 25034c2542757ac93cb6008479a5bfc594f9e92f66249f6fb862447a18847ba7 Bash/TommyBoy.A!tr 
oauth2-paypal_10.0.0 148d3552db2acf469c84e26889336f06167c6cf455248e08d703282bc0556fb8 Bash/TommyBoy.A!tr 
oauth2-paypal_699.0.0 7186674c208242b8e6fdf7b0f4e7539218590618fee517aa264e8446247d3440 Bash/TommyBoy.A!tr 
Paymentapiplatformservice-paypal_1.20.0 7a48db17a02e94c97a329cc1a578777d8b4fb74221bdb22202369d6590917fd0 Bash/TommyBoy.A!tr 
Userbridge-paypal_1.20.0 7a48db17a02e94c97a329cc1a578777d8b4fb74221bdb22202369d6590917fd0 Bash/TommyBoy.A!tr 
userrelationship-paypal_1.20.0 ca7dc2b0856f89e71ce9da6f179b34c8879456b5dffda0b5bd3f0fd73bab1c50 Bash/TommyBoy.A!tr 

Currently, Tech Horizon is the official distributor of FORTINET in the Vietnamese market.
We are pleased to offer your organization comprehensive consultation and installation services, featuring competitive investment costs, a diverse range of solutions, and dedicated technical support.
Please feel free to contact us for further assistance.

————————————————————————-

TECH HORIZON CORP

Head Office: No. 22, Street No. 9, Trung Son Residential Area, Binh Hung, Binh Chanh District, Ho Chi Minh City
Hanoi Office: 4th Floor, Sport Hotel, Hacinco Student Village, Thanh Xuan District, Hanoi
Website: https://techhorizonvn.com
Email: info@techhorizonvn.com
Phone: 028 5431 6046 or 024 6286 2118
Fanpage: Tech Horizon Vietnam

Leave a comment

Hey, so you decided to leave a comment! That's great. Just fill in the required fields and hit submit. Note that your comment will need to be reviewed before its published.