Welcome back, hacker novitiates! Supply chain attacks have become one of the most powerful weapons in a threat actor’s arsenal. Rather than striking a target directly, attackers compromise a third-party supplier—such as software vendors, managed service providers (MSPs), or open-source projects—to gain broad, downstream access. In this tutorial, we will take a look at LottieFiles […]
The post Supply Chain Attack: Getting Started with LottieFiles Case first appeared on Hackers Arise.
Welcome back, hacker novitiates!
Supply chain attacks have become one of the most powerful weapons in a threat actor’s arsenal. Rather than striking a target directly, attackers compromise a third-party supplier—such as software vendors, managed service providers (MSPs), or open-source projects—to gain broad, downstream access.
In this tutorial, we will take a look at LottieFiles hack to understand how dangerous it might be.
How Supply Chain Attacks Work
The anatomy of a supply chain attack generally unfolds through these key steps:
- Compromising the Vendor: Attackers breach a vendor, either via software vulnerabilities, credential theft, phishing, or abused trust relationships (such as access tokens or neglected update systems).
- Malicious Code Injection: Malicious code or configuration is implanted in the vendor’s product—this could be in software updates, libraries, or hardware firmware.
- Distribution to Customers: The tainted product is propagated to customers through trusted mechanisms: software updates, package repositories, or physical shipments.
- Downstream Exploitation: When clients install or use the compromised component, attackers gain a foothold in otherwise well-defended environments, enabling data theft, espionage, ransomware, or further lateral movement.
Key Attack Techniques
- Update Hijacking: Altering legitimate software updates to include malicious payloads (SolarWinds, 3CX).
- Dependency/Library Poisoning: Compromising or typosquatting popular open-source packages (npm, PyPI, XZ Utils).
- Build Environment Compromise: Infiltrating Continuous Integration/Continuous Deployment (CI/CD) pipelines or signing infrastructure to propagate signed malware.
- Credential Abuse & Privileged Access: Stealing or exploiting credentials provided to third-party vendors, often for remote access or cloud services.
Notable Supply Chain Attacks
| Attack | Year | Attack Vector | Technical Details & Impact |
|---|---|---|---|
| SolarWinds | 2020 | Software update | Attackers backdoored Orion platform build process. Tainted updates were signed and distributed to 18,000+ orgs. Provided lateral movement, data exfiltration, and long-term espionage within US gov. and large corps. |
| 3CX Desktop App | 2023 | Compromised library | Build environment compromise let attackers insert malicious DLLs, download further payloads, and connect to command-and-control (C2) infrastructure. Signed with valid vendor certs—evaded detection. |
| MOVEit Transfer | 2023 | Zero-day in MFT software | CL0P ransomware used a critical SQL injection vulnerability to access and exfiltrate data from hundreds of companies via trusted file transfer service. |
| NotPetya/MeDoc | 2017 | Update hijack | Malicious update through Ukrainian accounting software (MeDoc), used EternalBlue exploit for worm-like spread, causing destructive impact globally. |
| XZ Utils Backdoor | 2024 | Open-source repo | An upstream maintainer (Jia Tan) added a sophisticated backdoor to XZ Utils library critical for SSH and compression; had it not been detected, would have enabled remote ssh compromise in major Linux distros. |
| NPM & PyPI Package Attacks | 2024 | Package repository | Attackers hijacked or typosquatted popular packages, sometimes via phishing or by adopting abandoned libraries, embedding info-stealers, credential harvesters, or remote shells. Hundreds of developers and downstream products affected. |
| Codecov Bash Uploader | 2021 | CI/CD compromise | Bash uploader script used in CI pipelines was modified. Sent environment variables, API tokens, and credentials to attacker servers—a vector for cloud and secrets theft. |
| JetBrains TeamCity | 2024 | RCE vulnerability | Exploited a zero-day in enterprise build server software, leading to remote code execution, credential theft, and lateral movement in thousands of dev environments |
Lottie Player Supply Chain Attack
The vulnerability stemmed from a compromised access token of a developer with privileged access to the Lottie Player npm package repository. This allowed attackers to publish malicious versions of the @lottiefiles/lottie-player package. These versions included code that triggered crypto prompts, enabling attackers to gain unauthorised access to users’ cryptocurrency wallets (if the victim connected their original wallet).
The malicious versions of the Lottie Player package were: 2.05, 2.06. 2.07.
Step 1: Malicious Pop-up
Lottie Player, a widely used web component for playing animations on websites and apps, caused popular decentralized finance (DeFi) apps to display pop-ups urging users to connect their wallets. However, in this case, the script loaded a crypto drainer.
Source: BleepingComputer
Step 2: WebSocket Connection
If a visitor clicks on one of the buttons to connect to a wallet, the script will make a WebSocket connection to the site castleservices01[.]com, which has a history of being used in cryptocurrency phishing attacks. The API call to the C2 server includes the auth key, user browser details and local IP for authentication/registration in the request parameters.
The exact number of victims and the total amount of cryptocurrency lost to this scheme remain unknown. However, the blockchain threat monitoring platform
Scam Sniffer reports that at least one victim allegedly lost $723,000 worth of Bitcoin at the time of the attack.
Summary
As I mentioned at the beginning, supply chain attacks can have a devastating impact—especially because you might not even suspect that an NPM or PyPI package used in an app you’re using has been compromised.
If you believe you’ve been hacked or your cryptocurrency has been stolen, a Digital Forensics Investigator can help you.
The post Supply Chain Attack: Getting Started with LottieFiles Case first appeared on Hackers Arise.
Source: HackersArise
Source Link: https://hackers-arise.com/supply-chain-attack-getting-started-with-lottiefiles-case/