In this article, we discus attacks on cryptocurrency and digital asset infrastructures and focus on software supply chain attacks. We first list high-profile attacks that have been made public and the discuss possible mitigations.
Authors: Martin Monperrus & the CHAINS team
Creation date: Nov 30 2022
Status: keeps being updated over time
Ref URL: https://chains.proj.kth.se/software-supply-chain-attacks-crypto.html
event-stream npm package by Dominic Tarr was compromised because of a maintainer change.
Dominic Tarr stopped maintaining the repository long before the attack. The bad actor reached out
to the developer in 2018 to help him out. However, he added malicious code to steal bitcoins
from application and then released the malicious
event-stream on npm. See
issue for more details. References:
End-user transaction attack through Pypi typosquatting by monitoring the clipboard for crypto addresses.
“A malicious package was slipped into Pypi. “Called “Colourama,” the package looked similar to Colorama, which is one of the top-20 most-downloaded legitimate modules in the Python repository. The doppelgänger Colourama package contained most of the legitimate functions of the legitimate module, with one significant difference: Colourama added code that, when run on Windows servers, installed a Visual Basic script to constantly monitors the server’s clipboard for signs a user is about to make a cryptocurrency payment.” https://arstechnica.com/information-technology/2018/10/two-new-supply-chain-attacks-come-to-light-in-less-than-a-week/
“A single connection controlled by the non-secure processor allows it to reset the display. Hence, malicious code running on the non-secure processor can turn off the display even while it’s running on battery only. This might be leveraged as part of an elaborate social engineering attack where the infected Ledger Nano X shuts off its display while malware on a computer convinces the user to press a series of buttons to approve a malicious transaction (e.g., “Your Ledger Nano X stopped responding, please hold both buttons to restart the device”). Ref: https://blog.kraken.com/post/5590/kraken-security-labs-supply-chain-attacks-against-ledger-nano-x/
“On Friday, September 17 2021, Miso suffered a supply chain exploit, whereupon the fund wallet address was fixed” https://blog.sonatype.com/3-million-cryptocurrency-heist-malicious-github-commit?hsLang=en-us
“The attackers were able to make off with the data before an update patching the Log4j vulnerability was available and demanded $5 million in ransom for the stolen information. […] The attackers waited until 25 December 2021 for payment from ONUS, and when they did not receive the ransom, the attackers put the information of close to 2 million customers up for sale” https://redskyalliance.org/xindustry/vietnamese-crypto-trading-platform-hit-with-log4j
“The Sysdig Threat Research Team (TRT) … surfaced more than 1,600 malicious Docker images containing cryptominers, backdoors, and other nasty malware disguised as legitimate popular software.”
The NPM account of DyDx was compromised: https://www.mend.io/resources/blog/popular-cryptocurrency-exchange-dydx-has-had-its-npm-account-hacked/
“At around 17:49 UTC on 9 February 2023, Phylum’s automated risk detection platform began alerting us to a long series of suspicious publications which appear to be a revived attempt to deliver the same crypto wallet clipboard replacing malware. This time, however, the attacker changed the obfuscation technique and radically increased the volume of attacks.” https://blog.phylum.io/phylum-discovers-revived-crypto-wallet-address-replacement-attack
The hackers compromised a Windows installer and targeted a few, very specific compagnies in the cryptocurrency business. Not clear how they managed to infect the installer file.
“Participants posting in the forum said the malware used in the attack, dubbed Fracturiser, runs on Windows and Linux systems. It’s delivered in stages that are initiated by Stage 0, which begins once someone runs one of the infected mods. Each stage downloads files from a command-and-control server and then calls for the next stage. Stage 3, believed to be the final stage in the sequence, creates folders and scripts, makes changes to the system registry, and goes on to perform the following: Propagate itself to all JAR (Java archive) files on the filesystem, Steal cookies and login information for multiple Web browsers, Replace cryptocurrency addresses in the clipboard with alternate ones, Steal Discord credentials, Steal Microsoft and Minecraft credentials”
Reference: Dozens of popular Minecraft mods found infected with Fracturiser malware (arstechnica.com)