In a recent cybersecurity incident, the widely-used JavaScript library Polyfill[.]io has been compromised, affecting over 380,000 hosts, according to new findings from cybersecurity firm Censys. This revelation marks an alarming expansion of the attack’s scope, with numerous hosts embedding a polyfill script that links to a malicious domain as of July 2, 2024.
Details of the Attack
The affected hosts have been identified by references to “https://cdn.polyfill[.]io” or “https://cdn.polyfill[.]com” in their HTTP responses. Censys has disclosed that approximately 237,700 of these hosts are located within the Hetzner network (AS24940), primarily based in Germany. Hetzner is a popular web hosting service, widely used by website developers, which may explain the high number of affected sites within its network.
Further analysis has revealed that the attack has impacted domains tied to several major companies, including WarnerBros, Hulu, Mercedes-Benz, and Pearson. These domains have been found to reference the malicious endpoints, indicating a widespread and potentially damaging breach across various industries.
Timeline and Response
The initial signs of the attack emerged in late June 2024, when cybersecurity firm Sansec discovered that code hosted on the Polyfill domain had been altered to redirect users to adult- and gambling-themed websites. The modifications were sophisticated, activating the redirections only at certain times of the day and targeting visitors who met specific criteria. This nefarious behavior was traced back to February 2024, following the sale of the Polyfill domain and its associated GitHub repository to a Chinese company named Funnull.
In response to the attack, domain registrar Namecheap suspended the Polyfill domain. Additionally, content delivery networks such as Cloudflare took proactive measures by automatically replacing Polyfill links with safe mirror site domains. Google also intervened by blocking ads for sites embedding the compromised domain.
Attempts to Relaunch
Despite these countermeasures, the attackers attempted to relaunch the service under a new domain, polyfill[.]com. However, this domain was also taken down by Namecheap as of June 28, 2024. Since the beginning of July, two other domains, polyfill[.]site and polyfillcache[.]com, have been registered by the attackers, with the latter still operational.
Censys’s investigation has uncovered a broader network of potentially related domains, including bootcdn[.]net, bootcss[.]com, staticfile[.]net, staticfile[.]org, unionadjs[.]com, xhsbpza[.]com, union.macoms[.]la, and newcrbpc[.]com. This suggests that the Polyfill incident might be part of a more extensive malicious campaign. Notably, bootcss[.]com has been observed engaging in malicious activities similar to the Polyfill[.]io attack, with evidence of such behavior dating back to June 2023. Censys has identified 1.6 million public-facing hosts linking to these suspicious domains, raising concerns about future exploits by the same malicious actors.
Impact on WordPress and Broader Implications
The ramifications of the Polyfill attack are far-reaching, particularly for websites running on the WordPress content management system (CMS). WordPress security company Patchstack has issued a warning about the cascading risks posed by the Polyfill supply chain attack. Many legitimate WordPress plugins link to the rogue domain, potentially exposing a large number of sites to further vulnerabilities.
This incident underscores the critical importance of securing software supply chains and the potential risks associated with third-party code dependencies. The Polyfill attack highlights how a single compromised library can have a ripple effect, impacting thousands of websites and organizations.
Moving Forward
In the wake of the Polyfill[.]io attack, cybersecurity experts are urging organizations to conduct thorough audits of their web assets to identify and mitigate any links to the compromised domain. Regular updates and patch management, coupled with a robust incident response plan, are essential measures to protect against similar supply chain attacks.
Furthermore, the cybersecurity community is calling for enhanced transparency and accountability in the software supply chain. Companies must ensure they are sourcing code from trusted and verified sources, and they should implement stringent monitoring to detect and respond to any suspicious activity promptly.
As the investigation into the Polyfill attack continues, it serves as a stark reminder of the evolving threats in the digital landscape. Organizations must remain vigilant and proactive in safeguarding their digital infrastructure against increasingly sophisticated cyber threats. The Polyfill incident is not just a cautionary tale but a call to action for stronger cybersecurity practices across the board.
Follow us on (Twitter) for real time updates and exclusive content.
Interesting Article : Remote Code Execution and DoS in Rockwell Automation Systems PanelView Plus
Pingback: Apple Bows to Russian Pressure, Removes VPN Apps from Apple Store