Supply Chain Attack: Lottie: TryHackMe Writeup.
Task 1: Introduction
Supply chain attacks are a rising threat in cyber security, targeting the trusted parts of software development. Instead of attacking a company directly, attackers go after third-party components like libraries, packages, or services that many applications rely on. These attacks are particularly dangerous because they can spread quickly to many applications and often remain unnoticed until significant damage is done. A simple example is downloading an update for your favourite software from the attacker-controlled domain.
A recent supply chain attack on Lottie Player was carried out using a developer’s compromised access token. The attacker’s main objective was to trick web users accessing a compromised player into connecting their crypto wallets so that they could steal funds.
Learning Objectives
- Workings of a supply chain attack
- How to exploit a supply chain attack
- Protection and mitigation measures
No answer needed.
Task 2: Lottie Player Supply Chain Attack
The vulnerability stemmed from a compromised access token of a developer with privileged access to the Lottie Player npm package repository. This allowed attackers to publish malicious versions of the @lottiefiles/lottie-player package. These versions included code that triggered crypto prompts, enabling attackers to gain unauthorised access to users' cryptocurrency wallets (if the victim connected their original wallet).
Affected Versions
The malicious versions of the Lottie Player package were: 2.05, 2.06, 2.07
Impact
If an application integrated any of the compromised versions, users could see unexpected prompts to connect their cryptocurrency wallets. Attackers exploited this access to steal funds from connected wallets. In one reported case, a user lost an estimated $723,000 (10 BTC) due to unauthorised wallet access.
Technical Explanation
A typical deployment scenario involves a developer pushing code to a version control system (e.g., Git), which then updates the NPM registry. The NPM registry subsequently pushes the package to CDNs, which are deployed globally to serve files efficiently to browsers and web applications, as illustrated below.
Questions:
#2.1 Which of the following Lottie Player’s versions were vulnerable? Enter the correct option only.
a) 2.05
b) 2.04
c) 4.0
d) 5.0
Answer: a
#2.2 What is the name of the C2 server used for registration/authentication? Use the Redacted/defanged version.
Answer: castleservices01[.]com
Task 3: How to Exploit
For this task follow the steps given to get the flag, once the changes are made to the files namely, index.js and package.json.
Use the command npm login --registry http://npm.thm:4873 to log in to the registry with Mark’s credentials. Enter the username mark and password mark123 when prompted. If successful, you will receive the following message:
Next, issue the command npm publish --registry http://npm.thm:4873, which will publish version 1.1.0 of form-validator to npm.thm, making the malicious code available to any user who installs or updates the package from this registry:
Pushing the package from npm to the CDN is automated; however, to keep the attacker VM lightweight and less resource-intensive, you can manually initiate this process by visiting http://YOUR_MACHINE_IP:8080/pushtoCDN.php
Next, visit the URL localhost:8080 to check the package's functionality:
Next, visit http://YOUR_MACHINE_IP:8080/flagvalidator to get the flag:
Questions:
#3.1Per the above code, what updated package version does the attacker push on npm.thm?
Answer: 1.1.0
#3.2 What is the port number on which the attacker will receive data?
Answer: 9090
#3.3 What is the name of the form validator JS file being fetched from the CDN?
Answer: form-validator.bundle.js
#3.4 What is the flag value after uploading the package v1.1.0? Visit the flag validator page to get the flag.
Answer: THM{MALICIOUS_PACKAGE_UPLOADED007}
Task 4: Detection and Mitigation
Mitigation Techniques
To detect signs of supply chain attacks, we can leverage a SIEM solution to monitor logs for suspicious activity, such as unexpected calls to services like cryptocurrency wallet connections in web traffic logs. In this case, block any call to the domain castleservices01[.]com, widely used in crypto-phishing attacks.
No answer needed.
Task 5: Conclusions
This is it.
Since the recent supply chain attack on Lottie calls attention to the need for securing code dependencies, it is important to maintain up-to-date packages in any web application but also ensure that any updates do not introduce any kind of maliciousness into the system.
No answer needed.
Thank you!
