Today is a day for cybersecurity introspection. Ledger, a company renowned for its secure hardware wallets, has recently faced an attack exploiting three types of vulnerabilities called supply chain attack, data custody, and secrets management. While the secret keys stored in Ledger devices remain uncompromised, the software primarily used for signing Web3 transactions has been affected, majorly, for signing Web3 transactions. As a security company, we advise caution in using Ledger’s back-end software, as attacks like this could involve other software components from the company. Blockaid was the first to disclose this vulnerability. Based on the last post-mortem report Blockaid was very fast to discover it. Ledger end-users could follow threads like this to check if they are affected and how to move forward. Chainalysis published the attack exploiter address: 0x658729879fca881d9526480b82ae00efc54b5c2d.
You should follow official channels (more than one!) from Ledger for updates. Especially their Twitter X account @Ledger. A post-mortem report is available here.
Based on their current post-mortem report we see three high-level issues:
- Handling the custody of secrets by the company. The attackers first attacked and accessed a former Ledger employee with official Ledger account secrets. This is where secrets were mismanaged since the actual company secrets should never be in the hands of former employees.
- The attack could occur on an actual employee so they should employ ways to be protected against this kind of attack.
- Companies should implement robust security measures when using Content Delivery Networks (CDNs). This is one of the most common attacks nowadays. We will focus on this since there is little material and awareness available. Most companies have no cybersecurity experts and have a chain of trust that is broken or unclear. For example, using services such as CloudFlare, Google Cloud, AWS, Azure, etc does not mean you can 100% trust components of your system to them. This is not only because they could have vulnerabilities but because you are not aware of how security issues that could be yours propagate.
- Blind signatures should be abolished. Only advanced users should enable it with all the warnings in-place. I have personally mentioned this at the security panel in the last LABITCONF. This is included in the post-mortem tweet mentioned above.
Regarding CDNs, there are many ways to attack this problem. One is to sign the packages and retrieve the signature from one or more additional protocols. For example, IPFS, DNSs, etc.
Some recent supply chain attacks and information include:
- Exposed Hugging Face API tokens offered full access to Meta’s Llama 2
- MyAlgo Incident
- Npm Security Woes Continue Amidst a Series of CDN Attacks
- Details about the event-stream incident
- Postmortem for Malicious Packages
- How one developer just broke Node, Babel and thousands of projects in 11 lines of JavaScript
It is important to highlight that the problems are not linked with NPM only but could affect other package distribution systems such as PyPi, and attacks such as CI/CD platforms such as GitHub. It just happens that NPM is very popular and more profitable for attackers.
Other interesting discussion threads are happening around, we recommend searching and one in particular: Ledger’s NPM account has been hacked (@Hacker News).
Fortunately, Ledger has been improving their communications. For example, see Ledger Recovery. In conclusion, it is vital for wallet providers like MetaMask and Wallet Connect to include these security issues on their status pages, enhancing transparency and user awareness:
