In a massive cyberattack on October 30, popular crypto websites were hit worldwide, with attackers injecting malicious code into updates to a widely used animation library. Users of decentralized finance apps such as 1inch and TEN Finance were tricked via pop-ups asking them to link their crypto wallets. However, this turned out to be an attempted theft by the infamous crypto drainer “Ace Drainer,” reported crypto security platform Blockaid.
Serious supply chain attack
According to security expert Gal Nagli of cybersecurity company Wiz, this attack was a serious supply chain attack on the Lottie Player library. This animation service, used by prominent companies such as Apple, Spotify and Disney, was abused to inject malicious pop-ups onto websites that otherwise seemed unaffected. This makes the attack unique and more difficult to recognize.
Jawish Hameed, vice president of engineering at LottieFiles, explained on GitHub that the GitHub account of a senior engineer at LottieFiles had been hacked. This allowed attackers to publish multiple malicious updates to the animation library in a short period of time. Hameed assured users that the infected versions have been removed and urged them to upgrade to the safe version 2.0.8.
Growing need for comprehensive security measures emphasized
Nagli warned that websites still using the infected versions are likely to remain vulnerable. He advised users to check whether sites are using the safe versions 2.0.4 or 2.0.8 of the library.
This attack highlights the growing need for comprehensive security measures across the software chain as cybercriminals become increasingly innovative in abusing trusted digital assets.
Source: https://newsbit.nl/cyberaanval-op-populaire-crypto-apps-kwaadaardige-code-injectie-in-veelgebruikte-animatiebibliotheek-raakt-gebruikers-wereldwijd/