Aftermath: How The Industry Reacted
Some users expressed anger at Ledger for failing to prevent the compromise, while others cautioned against the dangers of relying on third-party libraries.
The cybersecurity industry has a niche in cybercoin. Wallet draining campaigns are well-known, which mainly use phishing sites to deceive end-users. The usual SaaS business (Scam-as-a-Service) has specialized actors for wallet draining, like the scam vendor Inferno Drainer which announced stop-of-operations in Nov 2023. This seems to be a false flag anyway, according to recent activity seen in Dune’s @scamsniffer. The scheme they follow was explained by this Group-IB post:
And Now, Lessons Learned!
It is amazing how a hardware wallet, the epitome of crypto security, was breached simply by graining access to NPM credentials of a Ledger “former employee” (probably username/password without 2FA protection, or an access token). This incident serves as a striking reminder that when you are under fire, your software infrastructure needs to be protected with the same care as your software or hardware products.
Most software supply chain attacks begin by compromising an internal account (often for a developer or devops engineer). The attackers then either move laterally to breach internal systems in the software infrastructure like the CI/CD system or the deployment tools, or manage to add malicious logic to source code repositories, which could be detected if proper handling of changes with branch protection and code reviews are in place. But attackers do not need to go so deep when the target is a popular library published in a public registry, especially if they can gain access to publish (write) credentials. And this is what happened in this attack.
2FA authentication, specifically using robust elements like security keys, limits the risk with interactive operations. For CI/CD pipelines, access tokens with limited access stored as a CI/CD secret is the usual way to go (and the access token should not be leaked). Unfortunately, it seems that the employee did not have a robust 2FA set. NPM allows organizations to enforce 2FA (but this is optional, not the default), which is probably what Ledger should have. And do not forget to add appropriate credentials revocation procedures for former employees, especially with access to resources as critical as the NPM scope owned by the organization.
Version pinning for dependencies with reviewed version bumps is a practice that mitigates the spread of malicious dependencies. In the context of the Ledger incident, the versions of the library that the connect-kit-loader took from CDN should have been pinned, and “do not trust whatever the CDN throws”. Having a checksum verification e.g. via SRI (or even a digital signature scheme also authenticating the source) should be used when pulling from a CDN for dynamic code loading.
The rest is a story.
For the more conventional phishing campaigns directed to wallet users, the question is: What makes users fall into traps set by criminals and to confirm transactions they never intended to perform? The phishing sites in this domain are well designed and convincing, imitating popular crypto brands; and they also offer free tokens, minting NFTs and other rewards. Avoiding users to fall into such traps is a problem looking for a solution.
And to not forget the related cryptohacking attacks, a more general threat, where the adversaries take over cloud infrastructures to run miners for cryptocurrency, often for privacy coins like Monero XMR and Zcash, with hidden transaction histories. Cryptojacking is relevant because it may affect ANY organization, and though the profit for the attacker could be low, the cost for the victim could be large (Sysdig mentioned in this report that it takes $53 in cost for the victim organization for every $1 mined for the attacker).
References
- Ticket “[URGENT] This repository utilizing a malicious version of npm package @ledgerhq/connect-kit, 1.1.7” in Github repository.
- Letter from the Ledger CEO on the incident, 14 Dec 2023.
- Security Incident Report, by Ledger, 20 Dec 2023.
- Ledger Exploit Endangers DeFi; Sushi Says ‘Do Not Interact With ANY dApps’, post in CoinDesk by Oliver Knight, 14 Dec 2023.
- Supply Chain Attack on Ledger Connect Kit: Analyzing the Impact and Preventive Measures. Post by SlowMist on the attack, Dec 2023.
- Web3 Security Concepts: Wallet Drainers, by Jammel Weaver, in Rektify AI, Jul 2023.