- Ledger, a hardware wallet provider, discovered an exploit on December 14, 2023, targeting DApps using the Ledger Connect Kit.
- Malicious code was injected into the affected DApps, leading users to unknowingly sign transactions that drained their wallets.
- Ledger responded promptly, deploying a fix and collaborating with WalletConnect to disable the malicious instance, while also outlining preventive measures and user recommendations for enhanced security.
On the 14th of December 2023, Ledger, a prominent hardware wallet provider, detected an exploit that targeted DApps utilizing the Ledger Connect Kit. This exploit involved the injection of malicious code into the affected DApps, deceiving users into signing transactions that resulted in the draining of their wallets. Immediate action was taken to address the issue, but a small number of users fell victim to the attack during the intervening period.
Timeline of Events
The timeline below outlines the sequence of events related to the exploit, all of which occurred in Central European Time (CET):
Morning of December 14, 2023
A former Ledger employee became a victim of a sophisticated phishing attack, which enabled the attacker to gain access to their NPMJS account. By bypassing the two-factor authentication (2FA) mechanism, the attacker obtained the individual’s session token.
Between 9:49 AM and 11:37 AM
The attacker published a malicious version of the Ledger Connect Kit on NPMJS, specifically targeting versions 1.1.5, 1.1.6, and 1.1.7. This malicious code utilized a rogue WalletConnect project to reroute assets to the hackers’ wallets.
1:45 PM
Thanks to the vigilance of various actors within the ecosystem, including Blockaid, who promptly alerted the Ledger team and provided updates, Ledger became aware of the ongoing attack.
2:18 PM
Ledger’s technology and security teams were notified of the attack. They swiftly deployed a genuine version of the Ledger Connect Kit fix within 40 minutes of becoming aware. However, due to the nature of Content Delivery Networks (CDNs) and caching mechanisms on the internet, the malicious file remained accessible for a short period. It took approximately five hours from the compromise of NPMJS for the complete resolution of the issue. During this time, the window in which user assets were actively drained was estimated to be less than two hours.
2:55 PM
In collaboration with WalletConnect, Ledger coordinated efforts to disable the rogue WalletConnect instance responsible for draining assets from users’ wallets. Additionally, Tether took action and froze the USDT of the attacker(s).
Root Cause Analysis and Findings
Context
The Ledger Connect Kit is an open-source JavaScript library that allows developers to connect their DApps to Ledger hardware. It can be integrated using the Connect-Kit-loader component, which enables DApps to load the Connect-Kit at runtime from a CDN. This approach ensures DApp developers always have the latest version of the Connect-Kit without requiring manual updates or new builds. The CDN utilized by Ledger for distribution is NPMJS, a widely used package manager for JavaScript code.
Root Cause
The attacker did not gain access to any Ledger infrastructure, Ledger code repository, or the DApps themselves. Instead, they exploited a former employee’s access on NPMJS to push a malicious code package onto the CDN in place of the legitimate Connect-Kit. DApps that integrated the Connect-Kit-loader unknowingly loaded this malicious code.
Findings
The attack was well-prepared and executed by experienced individuals. Unlike most Front-End attacks focusing on credentials, this attack targeted the session token directly, bypassing traditional security measures. The malware employed in this exploit, known as Angel Drainer, has been observed by the Ledger security team in previous criminal activities. The stolen funds were being split, with 85% going to the exploiter and 15% to Angel Drainer, indicating a potential “malware-as-a-service” model.
Angel Drainer manipulates users into signing various types of transactions based on the targeted asset. For ERC20 and NFT tokens, it requests users to sign approval and permit messages. For native tokens, the drainer prompts users to sign either a fake “claim” transaction or simple token transfers, which can later be swept by deploying a smart contract at the corresponding address.
Preventive Measures
To enhance security measures and mitigate the risk of similar incidents in the future, Ledger is implementing the following remedial actions:
- Reviewing and auditing all access controls across internal and external tools and systems used by Ledger.
- Strengthening policies related to code review, deployment, distribution, and access controls, including incorporating external tools into maintenance and offboarding checks.
- Generalizing code signing practices when relevant and conducting regular internal audits to ensure proper implementation.
- Intensifying security training programs, including phishing training, for all employees.
- Prioritizing third-party security assessments to identify vulnerabilities and areas for improvement.
- Conducting a specific third-party audit focused on access control, code promotion, and distribution in early 2024.
- Enhancing communication and collaboration with security researchers and community members to encourage responsible disclosure and prompt detection of potential vulnerabilities.
User Recommendations
In light of this incident, users are advised to take the following precautions:
- Update Ledger Live and all associated applications to the latest versions provided by Ledger.
- Exercise caution when interacting with DApps and verify the legitimacy of the applications and libraries you use.
- Enable 2FA on all relevant accounts and ensure you are using strong, unique passwords.
- Regularly monitor your wallet activity and review transaction history for any suspicious activity.
- Be wary of phishing attempts and carefully scrutinize the URLs of websites and applications you interact with.
- Stay informed about security best practices and be vigilant in protecting your digital assets.
Conclusion
The recent exploit targeting the Ledger Connect Kit serves as a reminder of the evolving threats in the blockchain ecosystem. While Ledger took prompt action to address the issue and minimize the impact on users, it is crucial for users to remain proactive in safeguarding their digital assets. By implementing the recommended security measures and exercising caution, users can reduce the risk of falling victim to similar attacks. Ledger, meanwhile, is committed to continuously enhancing security measures and collaborating with the community to ensure the integrity and safety of its products.
Disclaimer
The information provided in this article is for informational purposes only and should not be considered financial advice. The article does not offer sufficient information to make investment decisions, nor does it constitute an offer, recommendation, or solicitation to buy or sell any financial instrument. The content is opinion of the author and does not reflect any view or suggestion or any kind of advise from cryptonewsbytes.com. The author declares he does not hold any of the above mentioned tokens or received any incentive from any company.
image source
