Rewterz Threat Update – A Crypto Hardware Wallet LEDGER Supply Chain Attack Caused a $600K Theft

Severity

High

Analysis Summary

Ledger, a crypto hardware wallet manufacturer, fell victim to a cyber attack when threat actors performed a phishing attack on a former employee, gaining unauthorized access to Ledger’s NPMJS account. The attackers manipulated the popular npm module “@ledgerhq/connect-kit,” inserting a malicious version that resulted in the theft of over $600,000 in virtual assets. This module, used to connect Ledger devices to decentralized applications, contained crypto drainer malware.

Upon discovering the attack, Ledger swiftly responded by releasing a new version (1.1.8) of the npm module and removing the malicious code from the repository. Ledger’s Chairman and CEO highlighted the collaborative effort with its partner WalletConnect to address the exploit within 40 minutes of detection, emphasizing the industry’s rapid response to security challenges.

The compromised npm module versions (1.1.5, 1.1.6, and 1.1.7) affected any application dependent on them, leading to a supply chain attack. The attackers used a rogue WalletConnect project to redirect funds to a wallet under their control. Ledger’s security teams promptly rectified the issue after being alerted, deactivating the malicious code.

Despite being live for around 5 hours, Ledger and WalletConnect disabled the rogue project and identified the attackers’ wallet address (0x658729879fca881d9526480b82ae00efc54b5c2d). Tether, a cryptocurrency partner, froze the stolen funds.

The incident underscores the importance of robust security measures, as initial observations suggest the compromised account lacked multi-factor authentication (MFA). Ledger’s ability to swiftly address the attack demonstrates the industry’s collaborative response to mitigate security risks and protect users’ assets.

Impact

• Financial Loss
• Unauthorized Access

Remediation

• Implement multi-factor authentication to add an extra layer of security to login processes.
• Regularly monitor network activity for any unusual behavior, as this may indicate that a cyberattack is underway.
• Organizations need to stay vigilant and follow best practices for cybersecurity to protect their systems and data from potential threats. This includes regularly updating software and implementing strong access controls and monitoring tools.
• Develop a comprehensive incident response plan to respond effectively in case of a security breach or data leakage.
• Maintain regular backups of critical data and systems to ensure data recovery in case of a security incident.
• Adhere to security best practices, including the principle of least privilege, and ensure that users and applications have only the necessary permissions.
• Establish a robust patch management process to ensure that security patches are evaluated, tested, and applied promptly.
• Conduct security audits and assessments to evaluate the overall security posture of your systems and networks.
• Consider the use of phishing-resistant authenticators to further enhance security. These types of authenticators are designed to resist phishing attempts and provide additional protection against social engineering attacks.
• Never trust or open links and attachments received from unknown sources/senders.