InfoSecBulletin Cybersecurity for mankind
Over 100,000 websites were compromised in a recent supply chain attack. The attack injected malware into the popular Polyfill JS project. It was discovered by the Sansec Forensics Team and shows the increased risks of using open-source software.
The Polyfill JS library, which helps older web browsers, has been targeted in a supply chain attack. A Chinese company took control of the Polyfill domain and GitHub account in February 2024. After the acquisition, the domain, cdn.polyfill.io, was used to distribute malware to websites using the library. Notable users of Polyfill are JSTOR, Intuit, and the World Economic Forum.
WhatsApp banned on all US House of Representatives devices
Kaspersky found “SparkKitty” Malware on Google Play, Apple App Store
OWASP AI Testing Guide Launched to Uncover Vulns in AI Systems
Axentec Launches Bangladesh’s First Locally Hosted Tier-4 Cloud Platform
Hackers Bypass Gmail MFA With App-Specific Password Reuse
Russia detects first SuperCard malware attacks via NFC
Income Property Investments exposes 170,000+ Individuals record
ALERT (CVE: 2023-28771)
Zyxel Firewalls Under Attack via CVE-2023-28771 by 244 IPs
CISA Flags Active Exploits in Apple iOS and TP-Link Routers
10K Records Allegedly from Mac Cloud Provider’s Customers Leaked Online
Sansec found that the harmful code is specifically aimed at mobile users. It creates different versions of itself based on the HTTP headers. One version redirects users to a fake Google Analytics website, which then sends them to a sports betting site. The malware has advanced features to avoid being detected, like activating only on certain types of mobile devices at specific times, and deactivating when administrative users or web analytics services are present.
Polyfill JS malware:
Sansec’s forensics team decoded a sample of malware and found out how it works and who it targets. The malware has features that protect it from being analyzed and it also delays its execution to avoid being detected by web analytics services. This makes it difficult to track down where the infection originated from.
Impact and recommendations:
The original author of Polyfill has suggested not using it anymore since modern browsers no longer need it. However, for those still needing its functionality, there are trusted alternatives from Fastly and Cloudflare.
It’s important to monitor the dependencies in your software supply chain. Sansec offers a free monitoring service called Sansec Watch for Content Security Policy (CSP) to see the code users are loading. Also, their eComscan backend scanner now detects compromised Polyfill library instances.
Indicators of Compromise (IoCs)
Redirect URL: https://kuurza.com/redirect?from=bitget
Fake Google Analytics: https://www.googie-anaiytics.com/ga.js
This Polyfill JS attack shows that open-source dependencies can have vulnerabilities. Developers should carefully review and monitor their software supply chains. They should replace outdated libraries with trusted alternatives and use security tools to detect and prevent such threats.
