The impact is widespread, and the Ledger Connect Kit has been hacked

By Lisa, Mountain, Slow Mist Safety Team

According to the intelligence of the SlowMist security team, on the evening of December 14, 2023, Beijing time, the Ledger Connect Kit suffered a supply chain attack, and the attackers made a profit of at least $600,000.

The Slow Mist safety team intervened in the analysis as soon as possible and issued an early warning:

At present, the incident has been officially resolved, and the Slow Mist safety team now shares the emergency information as follows:

Timeline

At 7:43 PM, Twitter user @g4sarah said that the frontend of the DeFi asset management protocol Zapper was suspected to have been hijacked.

At 8:30 PM, Sushi’s CTO, Matthew Lilley, tweeted, "Please do not interact with any dApp until further notice. A commonly used Web3 connector (a Java library that is part of the web3-react project) is suspected to have been compromised, allowing the injection of malicious code affecting numerous dApps. It then stated that Ledger might have suspicious code. The Slowmist security team immediately stated that it was following up and analyzing the incident.

At 8:56 PM, Revoke.cash tweeted, "Several popular crypto applications integrated with the Ledger Connect Kit library, including Revoke.cash, have been compromised. We have temporarily closed the site. We recommend not using any encrypted websites during this exploit. Subsequently, Kyber Network, a cross-chain DEX project, also said that it had disabled the front-end UI out of an abundance of caution until the situation became clear.

At 9:31 PM, Ledger also issued a reminder: "We have identified and removed a malicious version of the Ledger Connect Kit. Genuine versions are being pushed to replace malicious files, don’t interact with any dApps just yet. We’ll let you know if there’s something new. Your Ledger device and Ledger Live have not been compromised. 」

At 9:32 PM, MetaMask also issued a reminder: "Users should make sure that the Blockaid feature has been enabled in the MetaMask extension before executing any transactions on the MetaMask Portfolio. 」

Attack impact

The SlowMist security team immediately analyzed the relevant code, and we found that the attacker implanted malicious JS code in the @ledgerhq/connect-kit=1.1.5/1.1.6/1.1.7 version, and directly replaced the normal window logic with the Drainer class, which would not only pop up a fake DrainerPopup pop-up window, but also process the transfer logic of various assets. Phishing attacks are launched against cryptocurrency users via CDN distribution.

Affected versions:

@ledgerhq/connect-kit 1.1.5 (The attacker mentions Inferno in the code, presumably as a “nod to” to Inferno Drainer, a phishing gang specializing in multi-chain scams)

@ledgerhq/connect-kit 1.1.6 ( Attacker leaves a message in the code and implants malicious JS code )

@ledgerhq/connect-kit 1.1.7 ( Attacker leaves a message in the code and implants malicious JS code )

Ledger says that the Ledger wallet itself is not affected, and that apps that integrate the Ledger Connect Kit library are affected.

However, many applications (such as SushiSwap, Zapper, MetalSwap, Harvest Finance, Revoke.cash, etc.) use the Ledger Connect Kit, and the impact will only be large.

With this wave of attacks, an attacker can execute arbitrary code that has the same level of privilege as the application. For example, an attacker can instantly drain all of a user’s funds without interaction, post a large number of phishing links to lure users into falling for it, or even take advantage of the user’s panic when the user tries to transfer assets to a new address, but downloads a fake wallet and loses the assets.

Analysis of technical tactics

We have analyzed the impact of the attack above, and based on historical emergency experience, it is speculated that it may have been a premeditated social engineering phishing attack.

According to @0xSentry’s tweet, the attackers left a digital trail involving the Gmail account of @JunichiSugiura (Jun, a former Ledger employee), which may have been compromised, and Ledger forgot to remove access to the employee.

At 11:09 PM, the speculation was officially confirmed - a former Ledger employee became the victim of a phishing attack:

1. The attacker gained access to the employee’s NPMJS account;

2. the attacker released malicious versions of the Ledger Connect Kit (1.1.5, 1.1.6, and 1.1.7);

3. The attacker uses malicious WalletConnect to transfer funds to the hacker’s wallet address through malicious code.

Currently, Ledger has released the verified and genuine Ledger Connect Kit version 1.1.8, so please update it in a timely manner.

Although the poisoned version of Ledger npmjs has been removed, there are still poisoned js files on jsDelivr:

Note that due to CDN factors, there may be latency, and it is officially recommended to wait 24 hours before using the Ledger Connect Kit.

It is recommended that when the project team releases a third-party CDN image source, it must remember to lock the relevant version to prevent the harm caused by malicious release and then update. (Suggestion from @galenyuan)

At present, the relevant suggestions have been accepted by the official, and it is believed that the strategy will be changed next:

Ledger’s official final timeline:

MistTrack Analytics

Drainer customer: 0x658729879fca881d9526480b82ae00efc54b5c2d

Drainer fee address: 0x412f10AAd96fD78da6736387e2C84931Ac20313f

According to MistTrack’s analysis, the attacker (0x658) made at least $600,000 and was associated with the phishing gang Angel Drainer.

The main attack method of the Angel Drainer gang is to carry out social engineering attacks on domain name service providers and staff, if you are interested, you can click to read the dark “angel” - Angel Drainer phishing gang revealed.

Angel Drainer (0x412) currently holds nearly $363,000 in assets.

According to the SlowMist Threat Intelligence Network, there are the following findings:

1）IP 168.*.*.46，185.*.*.167

2. The attacker has replaced some ETH with XMR

At 11:09 PM, Tether froze the address of the Ledger exploiter. In addition, MistTrack has blocked the relevant addresses and will continue to monitor the movement of funds.

Summary

This incident once again proves that DeFi security is not only about contract security, but also about security.

On the one hand, this incident illustrates the serious consequences that a supply chain security breach can have. Malware and malicious code can be planted at different points in the software supply chain, including development tools, third-party libraries, cloud services, and update processes. Once these malicious elements are successfully injected, attackers can use them to steal cryptocurrency assets and sensitive user information, disrupt system functionality, extort businesses, or spread malware on a large scale.

On the other hand, attackers can obtain sensitive information such as users’ personally identifiable information, account credentials, and passwords through social engineering attacks, and can also use spoofed emails, text messages, or phone calls to lure users into clicking malicious links or downloading malicious files. Users are advised to use strong passwords, including a combination of letters, numbers, and symbols, and to change passwords regularly to minimize the chances of attackers guessing or using social engineering tricks to get their hands on passwords. At the same time, multi-factor authentication is implemented to increase the security of the account by using additional authentication factors (such as SMS verification code, fingerprint recognition, etc.) to improve the protection against this type of attack.