The breach involved the compromise of Ledger’s widely-used Connect Kit JavaScript library, resulting in the theft of hundreds of thousands of pounds in cryptocurrencies from users’ wallets in the early hours of Thursday.
Ledger attributed the exploit to a phishing attack targeting a former employee, who inadvertently became the entry point for the hacker.
The attacker then uploaded a malicious file to the company’s NPM registry account, redirecting user funds to their own wallet during transactions with decentralised applications (dApps) relying on the compromised software.
“The attacker published a malicious version of the Ledger Connect Kit (affecting versions 1.1.5, 1.1.6, and 1.1.7),” Pascal Gauthier, Ledger’s CEO, said.
“The malicious code used a rogue WalletConnect project to reroute funds to a hacker wallet.”
Although the compromised file was active for only five hours, during which two hours it was actively draining funds, the attacker managed to abscond with a substantial amount of crypto tokens.
The impact of the vulnerability extended beyond Ledger, affecting other protocols in the decentralised finance (DeFi) space. Impacted DeFi protocols include SushiSwap, Kyber, Revoke.cash and Zapper.
Kyber and Revoke.cash took immediate action, deactivating their respective front ends to prevent further exploitation.
Ledger later said that the malicious code had been deactivated, and that the authentic version, Ledger Connect Kit version 1.1.8, is now safe for use. It advised users to promptly update their applications.
As an added precaution, users were recommended to wait for 24 hours before attempting to use the software again.
“We are filing a complaint and working with law enforcement on the investigation to find the attacker,” Ledger said, expressing its commitment to pursuing legal action.
FINAL TIMELINE AND UPDATE TO CUSTOMERS:
4:49pm CET:
Ledger Connect Kit genuine version 1.1.8 is being propagated now automatically. We recommend waiting 24 hours until using the Ledger Connect Kit again.
The investigation continues, here is the timeline of what we know about…
— Ledger (@Ledger) December 14, 2023
Revoke.cash reported losses totalling approximately $850,000 as a result of the incident.
Rosco Kalis, a software engineer for Revoke.cash, pointed out vulnerabilities in Ledger’s distribution method for Connect Kit, distributed through a content delivery network (CDN), preventing developers from pinning the library to specific versions.
Kalis stressed the importance of “pinning” versions to protect against supply chain attacks.
Crypto security startup Blockaid, which raised alarms about the breach, estimates that between 500 to 1,000 wallets fell victim to the attack.
“This is affecting anyone with a wallet that is connecting to a dApp that includes this piece of code,” Raz Niv, co-founder and CTO of Blockaid, said.
Despite Ledger’s prompt update to remove the compromised code, Niv urged crypto users to exercise caution when accessing dApps, as not all platforms may have incorporated the necessary upgrade.
This exploit follows Ledger’s troubled history with security issues, including a major customer database leak in 2020 and controversies over the security of its hardware revealed through a software update last year.
As the DeFi landscape grapples with yet another setback, industry stakeholders are reminded of the constant need for vigilance and security enhancements in the rapidly evolving crypto space.
This news is republished from another source. You can check the original article here