1. Home
    2. »
  2. Blog
    3. »
  3. Incident Response
    4. » Understanding Supply Chain Attacks: The Case of Polyfill CDN

Understanding Supply Chain Attacks: The Case of Polyfill CDN

- Posted in Incident Response by - Permalink
Understanding Supply Chain Attacks: The Case of Polyfill CDN

Background: A supply chain attack involving a popular JavaScript library being served over a dedicated content delivery network (CDN) could result in the injection of harmful code into web pages that reference that CDN. This type of attack can have significant implications for the security and integrity of websites and web applications that rely on third-party libraries and CDNs. JavaScript-related technologies are prevalent in various aspects of life, from government to business and personal use.

The full story of polyfill : As of February 24, 2024, the trusted domain polyfill.io was being served from a company with connections to China. This domain had a subdomain connected to a content delivery network (CDN) from which the popular JavaScript library "polyfill," designed to support new JavaScript syntax for older browsers, was being served. However, at some point, this JavaScript library began injecting various types of URLs into browsers. Some of these URLs were linked to malware, while others were associated with betting, cryptocurrency, and other potentially harmful content. Consequently, when a victim accessed a page containing cdn[.]polyfill[.]io, they were redirected to different pages based on the HTTP header request . And in the list of injected JS commands was visible also Google typo domains . Also as result of deep investigation had been found that JS library which was visible in a Github [ Not confuse with original one ] contained some Cloudflare key based on which had been found that under one CF account there was also other domains which was managed by the same unknown persons . enter image description here

Impact: If you have included a reference to the cdn[.]polyfill[.]io URL in your source code, it could pose significant risks to your users and all visitors to your webpage.

How to investigate/validate if you are impacted from polyfill CDN: First method: Manually search your source code for any noted references. Second method: Create a test environment on your machine, including all the packages you are using, and install them. If everything is correct, you should also be able to pull package dependencies. Then, based on this, search for the noted string. Third method: If you have an environment that is continually expanding, create a simple script to enumerate all your domains and subdomains. Then, one by one, make requests to those pages and check the responded HTML structure for the noted CDN string.

enter image description here

Incident Response Steps in case with package supply chain attack:

  1. Remove the harmful code from the codebase.
  2. Block server access to the payload URL at the network layer.
  3. Redeploy the production environment.
  4. Initiate the action to drop the harmful domain/package.
  5. Analyze threat in a deep way
  6. Scan again assets in case of existence of newly discovered IOC
  7. Send email notifications to customers and registered users.
  8. Analyze the impact of the scenario on daily users.

How to protect you scope against such attack: - Scan all your packages for the existence of any URLs and cross-reference them with URL reputation-related platforms such as VirusTotal, and others, to check if the noted URL has any associated hosting. If it does not have hosting, someone could potentially buy it and serve harmful code to your production environment. - When it comes to packages, implement strict rules to ensure that each time during a new deployment, you are getting the same version instead of a new one. This will reduce the chance of being impacted by a typo attack. - Utilize services such as snyk[.]io to scan your current list of packages for security-related issues.

Mitigation:

  • Replace references from cdn[.]polyfill[.]io with https://polyfill-fastly.io/v3/polyfill.min.js, a safe version deployed by Fastly.
  • Check the network logs for any connections to URLs that are visible in the IOC list.
  • Utilize the scanning method suggested previously.

IOC's list:

  • cdn[.]polyfill[.]io
  • kuurza[.]com/redirect?from=bitget
  • www[.]googie-anaiytics[.]com/html/checkcachehw.js [ TYPO DOMAIN ]
  • www[.]googie-anaiytics[.]com/ga.js [ TYPO DOMAIN ]
  • cdn[.]bootcss.com/highlight.js/9.7.0/highlight.min.js
  • union[.]macoms.la/jquery.min-4.0.2.js
  • newcrbpc[.]com/redirect?from=bscbc
  • bootcdn.net
  • staticfile.net
  • staticfile.org
  • unionadjs.com
  • xhsbpza.com
  • union.macoms.la

Happy Hunting ! Regards Jok3r

Tags:

Related posts

« »