Security Incident Report

2023-12-23 15:46

Date of the report: 2023-12-20

Date of the incident: 2023-12-14

Type of Incident Detected: Unauthorized Access & Malicious Code

Executive Summary

Ledger detected an exploit using Ledger Connect Kit on Thursday the 14th of December 2023. This exploit injected malicious code inside DApps that were using Ledger Connect Kit, tricking EVM DApp users into signing transactions that drain their wallets. The exploit was quickly spotted and a resolution was implemented briefly after. In the meantime, a low volume of users fell into the attack and signed transactions draining their wallet.

Timeline 

Timeline hours are detailed using the time zone Central European Time (CET):

2023-12-14: Morning: A former Ledger Employee fell victim to a sophisticated phishing attack that gained access to their NPMJS account, bypassing 2FA, using the individual’s session token.

2023-12-14 – 09:49AM / 10:44AM / 11:37AM: The attacker published on NPMJS (a package manager for Javascript code shared between apps), a malicious version of the Ledger Connect Kit (affecting versions 1.1.5, 1.1.6, and 1.1.7). The malicious code used a rogue WalletConnect project to reroute assets to hackers’ wallets.

2023-12-14: 1.45PM: Ledger was made aware of the ongoing attack thanks to the prompt reaction of different actors in the ecosystem, including Blockaid who reached out to the Ledger team and shared updates on X.

2023-12-14: 2.18PM: Ledger’s technology and security teams were alerted to the attack and a genuine version of Ledger Connect Kit fix was deployed by Ledger teams within 40 minutes of Ledger becoming aware. Due to the nature of CDN (Content Delivery Network) and caching mechanisms on the Internet, the malicious file remained accessible for a little longer. From the compromission of NPMJS to the complete resolution, approximately 5 hours have passed. This extended availability of the malicious code was a result of the time taken for the CDN to propagate and update its caches globally with the latest, genuine version of the file. Despite the file’s five hour presence, we estimate from our investigation that the window during which user assets were actively drained was confined to less than two hours in total.

Ledger coordinated swiftly with our partner WalletConnect, who disabled the rogue WalletConnect instance used to drain assets from the users.

2023-12-14: 2.55 PM Upon our coordination, Tether froze the USDT of the attacker(s) (cf. TX).

Root Cause Analysis, Findings and Preventing Measures Context

Ledger Connect-Kit is a Java Script open source library allowing developers to connect their DApps to Ledger hardware. It can be integrated using the Connect-Kit-loader component that allows a DApp to load the Connect-Kit at runtime from a CDN. This allows DApp developers to always have the most recent version of the Connect-Kit without the need to manually update package versions and release new builds. The CDN used by Ledger for the distribution is NPMJS. Most DApps have integrated the Connect-Kit using the mentioned Connect-Kit-loader. 

In the Ledger Connect Kit exploit, the attacker did not at any time have access to any Ledger infrastructure, Ledger code repository, or to DApps themselves. The attacker was able to push a malicious code package within the CDN in place of the Connect-Kit itself. This malicious Connect-Kit code was then dynamically loaded by DApps who already integrate the Connect-Kit-loader. 

The Ledger Connect Kit exploit highlights risks Ledger and the industry collectively face to protect users, and it is also a reminder that collectively we need to continue to raise the bar for security around DApps where users will engage in browser-based signing. It was Ledger’s service that was exploited this time, but in the future this could happen to another service or library.

Root cause

In order to be able to push the malicious code package on NPMJS, the attacker phished a former employee to leverage the individual’s access on NPMJS. The access of the former employee to Ledger’s systems (including Github, SSO based services, all internal Ledger tools, and external tools) were properly revoked, but unfortunately the former employees’ access to NPMJS was not properly revoked. 

We can confirm this was an unfortunate isolated incident. Accesses to Ledger infrastructure by Ledger employees are automatically revoked during employee offboarding, however, due to how current technology services and tools currently operate globally, we cannot automatically revoke access to certain external tools (NPMJS included), and these must be handled manually with an employee offboarding checklist for each individual. Ledger has an existing and regularly updated offboarding procedure where we remove departing employees from all external tools. In this individual case, the access was not manually revoked on the NPMJS, which we regret, and are auditing with an external third party partner. 

This was a sophisticated attack conducted by the attacker. Despite having enforced two-factor authentication (2FA) on the NPMJS targeted account, which would normally deter many attempts, the attacker circumvented this security measure by exploiting an API key associated with the former employee’s account. 

This specific attack enabled the attacker to upload a new malicious version of the Ledger Connect Kit which contained what is referred to as the Angel Drainer malware. Angel Drainer is a malware as a service that is specifically designed to craft malicious transactions that are draining wallets when signed. It’s a complete infrastructure specialized on EVM chains that deploys smart contracts on demand and crafts tailored transactions in order to maximize damage.

Unfortunately, NPMJS.com does not allow multi-authorization or signature verification for automatic publishing. We’re working on adding ad hoc mechanisms enforcing further controls at the deployment stage.

Findings

This was a well prepared attack executed by experienced attacker(s). The phishing technique implemented did not focus on credentials, which is what we see in most Front-End attacks affecting the ecosystem, but instead the attacker worked directly on the session token. 

The malware used was Angel Drainer, and the Ledger security team has seen in the past three months an increase of criminal activities using this malware (please refer to this published Blockaid report). We can also see on-chain that the funds stolen are being split: 85% to the exploiter and 15% to Angel Drainer, which could be seen as a malware as a service.

This Angel Drainer tricks users into signing different types of transactions depending on the type of asset it is currently targeting. For ERC20 and NFT tokens, it requests users to sign approval and permit messages. For native tokens, the drainer asks the user to sign either a fake “claim” transaction where the claim method simply sweeps the funds, or simple token transfers that can be later sweeped by deploying a smart contract at the corresponding address.

This is why we continue to encourage Clear Signing as an industry, so users can verify what they see on a trusted display on their Ledger hardware device. 

Remedial actions

The Ledger security and technology teams, including the Ledger executive team, are currently reviewing and auditing all our access controls on Ledger internal and external tools and systems that we use. 

Ledger will reinforce its policies when it comes to code review, deployment, distribution, and access controls, including adding all external tools to our maintenance and off-boarding checks. We’ll continue to generalize code signing when relevant. Additionally we are conducting recurrent internal audits to make sure this is properly implemented. 

Ledger already organizes security training sessions, including phishing training. The internal security training program will also be reinforced at the start of 2024 for all employees in their respective departments. Ledger already organizes regular third party security assessments and will continue to prioritize these assessments.  

In early 2024, a specific third party audit will be conducted focused on access control, code promotion and distribution. 

In addition, we’ll reinforce our infrastructure monitoring and alerting systems to be able to detect and react even faster to future incidents..

Finally, we’ll double down on preventing Blind Signing, removing it as an option for Ledger users to ensure utmost security practices, and educate users on the potential impact of signing transactions without either a secure display or understanding what they are signing by not using Clear Signing.

We thank again our partners in the ecosystem for swiftly working with the Ledger teams on identifying and resolving the exploit.

Similar to Notcoin - Blum - Airdrops In 2024

origin »

Quantum Resistant Ledger (QRL) на Currencies.ru

$ 0 (+0.00%)
Объем 24H $0
Изменеия 24h: 0.00 %, 7d: 0.00 %
Cегодня L: $0 - H: $0.307
Капитализация $0 Rank 99999
Цена в час новости $ 0.1091 (-100%)

incident report detected ledger date connect using

incident report → Результатов: 34


A Long Con: CoinsPaid Says Systems Were Under Attack For Six Months

In a new report, Estonia’s preeminent crypto payment and personal wallet provider, CoinsPaid, has revealed the intricate workings of a hacking incident that led to a colossal loss of $37 million. This audacious breach was reportedly the culmination of a six-month saga marked by calculated maneuvers and sophisticated tactics, orchestrated by none other than the notorious Lazarus Group.

2023-8-9 18:00


Фото:

На Binance продублировался депозит на $5 млн в токенах проекта Filecoin

Разработчики проекта Filestar и блокчейн-обозревателя Filfox обнаружили, что токены FIL стоимостью около $5 млн по неизвестной причине поступили на биржу Binance дважды. New incident report on today’s exchange bookkeeping issue that resulted from using the Lotus API incorrectly.

2021-3-20 13:12


Coinbase users could experience ‘intermittent delays or errors while transacting’ thanks to AWS outage

In its recently published incident report, Coinbase stated that it was investigating some connectivity issues on Coinbase and Coinbase Pro. Moreover, roughly 21 hours ago on 25 November, the exchange The post Coinbase users could experience ‘intermittent delays or errors while transacting’ thanks to AWS outage appeared first on AMBCrypto.

2020-11-26 19:00


Отчет: суммы выкупа биткоин-вымогателям выросли на 300% с 2018 года

За два последних года хакеры-вымогатели криптовалюты увеличили среднюю сумму выкупа на 200%. Об этом говорится в отчете компании Crypsis Group. Crypsis_2020 Incident Response and Data Breach Report_FINAL by ForkLog on Scribd В 2019 году средний размер выкупа составил $115 123.

2020-6-9 20:20


Фото:

Lazarus Hacker Group Continues to Target Crypto Using Faked Trading Software

This article was originally published by 8btc and written by Lylian Tang. The Chinese security service provider 360 Security has issued a warning that a large number of crypto exchanges have been targeted by the North Korean hacker group Lazarus and that the number is still rising after the recent hacks of crypto exchanges DragonEx, Etbox and BiKi.

2019-4-2 21:54


Биржа Bithumb возместит нанесенный хакерской атакой ущерб

Критовалютная биржа Bithumb официально подтвердила, что стала жертвой хакерской атаки и пообещала вернуть пользователям украденные средства. [Jun 20th Incident Report] We would like to share with you the events that took place on June 20, 2018 and the steps we’re taking to ensure that your asset is safe and secure with Bithumb. ▶ https://t.co/JjSnTtSsDj — […]

2018-6-21 16:53