Saturday, October 12, 2024
Homecyber securityOver 380,000+ Hosts Embedding Polyfill JS script Linking to Malicious Domain

Over 380,000+ Hosts Embedding Polyfill JS script Linking to Malicious Domain

Published on

Malware protection

Over 380,000 web hosts have been found embedding a compromised Polyfill.io JavaScript script, linking to a malicious domain.

This supply chain attack has sent shockwaves through the web development community, highlighting the vulnerabilities inherent in widely used open-source libraries.

Polyfill.js, a popular tool designed to provide modern functionalities for older web browsers, was the target of this sophisticated attack.

- Advertisement - SIEM as a Service

In February 2024, the domain and GitHub account for Polyfill.io were acquired by Funnull, a Chinese CDN company.

This acquisition raised immediate concerns about the service’s legitimacy.

These concerns were validated when malware injected through cdn.polyfill.io began redirecting users to malicious sites.

High-profile platforms such as JSTOR, Intuit, and the World Economic Forum were among the affected, showcasing the widespread impact of this breach.

"Is Your System Under Attack? Try Cynet XDR: Automated Detection & Response for Endpoints, Networks, & Users!"- Free Demo

The Scale of the Attack

According to Censys, a cybersecurity firm, 384,773 hosts were found to include references to “https://cdn.polyfill[.]io” or “https://cdn.polyfill[.]com” in their HTTP responses.

A significant concentration of these hosts, approximately 237,700, is located within the Hetzner network in Germany.

This is not surprising, given Hetzner’s popularity among web developers.

Further analysis revealed that major companies such as Warner Bros, Hulu, Mercedes-Benz, and Pearson had large numbers of hosts referencing the malicious Polyfill endpoint.

Interestingly, the most common hostname associated with these hosts was ns-static-assets.s3.amazonaws.com, indicating widespread usage among Amazon S3 static website hosting users.

The presence of government domains like “www.feedthefuture.gov” among the affected hosts underscores the attack’s reach across various sectors.

Censys observed 182 affected hosts displaying a “.gov” domain.

Industry Response and Mitigation Efforts

The attack has prompted swift responses from multiple companies.

Cloudflare and Fastly have offered alternative, secure endpoints for users to mitigate the threat while preventing websites from breaking.

Google has blocked ads for e-commerce sites using Polyfill.io, and the website blocker uBlock Origin has added the domain to its filter list.

Andrew Betts, the original creator of Polyfill.io, has urged website owners to immediately remove the library, emphasizing that it is no longer necessary for modern browsers.

Namecheap, the domain registrar for Polyfill.io, took down the malicious domain, mitigating the immediate threat.

However, the incident is a stark reminder of the growing threat of supply chain attacks on open-source projects.

The interconnected dependencies within the open-source ecosystem mean a single compromised package can have far-reaching security implications.

Investigating the Malicious Domain

Further investigation into the malicious Polyfill[.]io domain revealed additional concerning details.

Historical DNS records linked the domain to several other suspicious domains, including 5f52353c.u.fn03.vip, cdn.polyfill.io.bsclink.cn, and wildcard.polyfill.io.bsclink.cn.

LEGEND DYNASTY PTE hosted these domains. LTD., a company based in Singapore.

Interestingly, the maintainers of the Polyfill GitHub repository had leaked their Cloudflare API secrets within the repo.

This leak revealed four additional active domains linked to the same account: bootcdn[.]net, bootcss[.]com, staticfile[.]net, and staticfile[.]org.

One of these domains, bootcss[.]com, has been observed engaging in similar malicious activities since June 2023.

Analyzing the malicious Polyfill JavaScript code revealed a function named check_tiaozhuan(), which checks if the user uses a mobile device.

If so, it sets a value based on various conditions. Then it calls another function that loads a JavaScript file from a specified URL, potentially redirecting the user’s browser to another page.

This tactic closely mirrors the methods used in the Polyfill.io attack.

The Polyfill.io supply chain attack is a stark reminder of the vulnerabilities inherent in the web development ecosystem.

As developers rely on a diverse technology stack of open-source packages, the security of these dependencies becomes crucial.

The incident underscores the need for vigilance and robust security measures to protect against such sophisticated attacks.

As the web development community grapples with the fallout from this breach, the lessons learned will clearly shape future approaches to securing open-source projects.

The industry must continue collaborating and innovating to safeguard the digital infrastructure that underpins our modern world.

Are you from SOC/DFIR Teams? - Sign up for a free ANY.RUN account! to Analyse Advanced Malware Files

Divya
Divya
Divya is a Senior Journalist at GBhackers covering Cyber Attacks, Threats, Breaches, Vulnerabilities and other happenings in the cyber world.

Latest articles

Threat Actor ProKYC Selling Tools To Bypass Two-Factor Authentication

Threat actors are leveraging a newly discovered deepfake tool, ProKYC, to bypass two-factor authentication...

Mozilla Warns Of Firefox Zero-Day Actively Exploited In Cyber Attacks

A critical use-after-free vulnerability affecting Firefox and Firefox Extended Support Release (ESR) is being...

SpyCloud Embeds Identity Analytics in Cybercrime Investigations Solution to Accelerate Insider and Supply Chain Risk Analysis & Threat Actor Attribution

IDLink, SpyCloud’s new automated digital identity correlation capability, is now core to its industry-leading...

Abusix and Red Sift Form New Partnership, Leveraging Automation to Mitigate Cyber Attacks

The agreement has marked over 600,000 fraudulent domains for takedown in just two months...

Free Webinar

Protect Websites & APIs from Malware Attack

Malware targeting customer-facing websites and API applications poses significant risks, including compliance violations, defacements, and even blacklisting.

Join us for an insightful webinar featuring Vivek Gopalan, VP of Products at Indusface, as he shares effective strategies for safeguarding websites and APIs against malware.

Discussion points

Scan DOM, internal links, and JavaScript libraries for hidden malware.
Detect website defacements in real time.
Protect your brand by monitoring for potential blacklisting.
Prevent malware from infiltrating your server and cloud infrastructure.

More like this

Threat Actor ProKYC Selling Tools To Bypass Two-Factor Authentication

Threat actors are leveraging a newly discovered deepfake tool, ProKYC, to bypass two-factor authentication...

Mozilla Warns Of Firefox Zero-Day Actively Exploited In Cyber Attacks

A critical use-after-free vulnerability affecting Firefox and Firefox Extended Support Release (ESR) is being...

Hackers Exploiting Zero-day Flaw in Qualcomm Chips to Attack Android Users

Hackers exploit a zero-day vulnerability found in Qualcomm chipsets, potentially affecting millions worldwide.The flaw,...