Polyfill.io, BootCDN, Bootcss, Staticfile attack traced to 1 operator

The recent large scale supply chain attack conducted via multiple CDNs, namely Polyfill.io, BootCDN, Bootcss, and Staticfile that affected anywhere from 100,000 to tens of millions of websites has been traced to a common operator, according to researchers.
Researchers discovered a public GitHub repository where the purported operators of Polyfill.io had accidentally exposed their Cloudflare secret keys.
By using these leaked API keys, which were still active, researchers were able to establish that a common operator was behind all four domains, and the wider supply chain attack.
Security researchers and open source intel enthusiasts discovered a GitHub repository associated with the polyfill.io domain involved in a large-scale supply chain attack that is now believed to have impacted tens of millions of websites.
The secrets leaked in the repository enabled researchers to attribute the supply chain attack involving all 4 CDN services, namely, Polyfill.io, BootCDN, Bootcss, and Staticfile, to a single entity.
The exposed file, as also seen by BleepingComputer, contains a Cloudflare API token, Cloudflare Zone ID, and Algolia API keys, among other values.
The Cloudflare API key allowed researchers, in particular mdmck10 to query and obtain a list of active zones associated with the particular Cloudflare account.
Among all domains returned for the Cloudflare account, one was for cdn.
The 430-line JSON file, shared by mdmck10, additionally contained entries for domains, staticfile.net, bootcdn.net, bootcss.com, indicating that these were managed under the same Cloudflare user account, operated by a common entity.
While Cloudflare never authorized Polyfill.io to use its logo and name and never endorsed the service, on Wednesday, the DNS records for Polyfill.io were mysteriously switched to Cloudflare's, indicating that Cloudflare's service were at least partially in use by the domain owners.
We contacted Cloudflare at the time to understand if it was involved in the change in these DNS records, or in helping mitigate the attack, but did not hear back.
MalwareHunterTeam who has closely been monitoring the situation drew attention to the fact that Google's warning to its advertisers regarding the supply chain attack was not limited to ad landing pages embedding polyfill.io, but three more services, Bootcss, BootCDN, and Staticfile.
Shortly after Polyfill.io was shut down by Namecheap, another service polyfill.com was launched by its operators.
If you haven't already, consider replacing existing usage of any of these services with safe alternatives set up by Cloudflare and Fastly.
Polykill.io from cybersecurity firm, Leak Signal, is another handy service that lets you identify websites using Polyfill.io and make the switch.
BleepingComputer attempted to contact the Polyfill Global X account for comment before publishing but they have disabled DMs. With both Polyfill.io and.com domains now down, the admin's email addresses are no longer operational.
Cloudflare: We never authorized polyfill.io to use our name.
Polyfill claims it has been 'defamed', returns after domain shut down.
Polyfill.io JavaScript supply chain attack impacts over 100K sites.
JAVS courtroom recording software backdoored in supply chain attack.


This Cyber News was published on www.bleepingcomputer.com. Publication date: Mon, 01 Jul 2024 10:13:07 +0000


Cyber News related to Polyfill.io, BootCDN, Bootcss, Staticfile attack traced to 1 operator

Polyfill.io, BootCDN, Bootcss, Staticfile attack traced to 1 operator - The recent large scale supply chain attack conducted via multiple CDNs, namely Polyfill.io, BootCDN, Bootcss, and Staticfile that affected anywhere from 100,000 to tens of millions of websites has been traced to a common operator, according to ...
5 months ago Bleepingcomputer.com
Polyfill, Cloudflare trade barbs after reports of supply chain attack threatening 100k websites - Tech giant Cloudflare urged customers to remove a popular open source library used to support older browsers after reports emerged this week that the tool is being used to distribute malware. Polyfill, which is used by more than 100,000 websites, ...
5 months ago Therecord.media
CVE-2023-45133 - Babel is a compiler for writingJavaScript. In `@babel/traverse` prior to versions 7.23.2 and 8.0.0-alpha.4 and all versions of `babel-traverse`, using Babel to compile code that was specifically crafted by an attacker can lead to arbitrary code ...
1 year ago
Polyfill.io Supply Chain Attack Smacks Down 100K+ Websites - A domain that more than 100,000 websites use to deliver JavaScript code is now being used as a conduit for a Web supply chain attack that uses dynamically generated payloads, redirects users to pornographic and sports-betting sites, and can ...
5 months ago Darkreading.com
CVE-2017-4970 - An issue was discovered in Cloud Foundry Foundation cf-release v255 and Staticfile buildpack versions v1.4.0 - v1.4.3. A regression introduced in the Static file build pack causes the Staticfile.auth configuration to be ignored when the Static file ...
5 years ago
CVE-2024-38537 - Fides is an open-source privacy engineering platform. `fides.js`, a client-side script used to interact with the consent management features of Fides, used the `polyfill.io` domain in a very limited edge case, when it detected a legacy browser such ...
5 months ago
Imperva Client-Side Protection Mitigates the Polyfill Supply Chain Attack - The recent discovery of a website supply chain attack using the cdn. Polyfill.io domain has left many websites vulnerable to malicious code injection. Once a trusted resource for adding JavaScript polyfills to websites, the domain has recently become ...
5 months ago Imperva.com
Attack Vector vs Attack Surface: The Subtle Difference - Cybersecurity discussions about "Attack vectors" and "Attack surfaces" sometimes use these two terms interchangeably. This article guides you through the distinctions between attack vectors and attack surfaces to help you better understand the two ...
1 year ago Trendmicro.com
CVE-2024-31391 - Insertion of Sensitive Information into Log File vulnerability in the Apache Solr Operator. This issue affects all versions of the Apache Solr Operator from 0.3.0 through 0.8.0. When asked to bootstrap Solr security, the operator will enable basic ...
8 months ago Tenable.com
CVE-2021-32643 - Http4s is a Scala interface for HTTP services. `StaticFile.fromUrl` can leak the presence of a directory on a server when the `URL` scheme is not `file://`, and the URL points to a fetchable resource under its scheme and authority. The function ...
3 years ago
CVE-2020-7922 - X.509 certificates generated by the MongoDB Enterprise Kubernetes Operator may allow an attacker with access to the Kubernetes cluster improper access to MongoDB instances. Customers who do not use X.509 authentication, and those who do not use the ...
3 months ago
9 Best DDoS Protection Service Providers for 2024 - eSecurity Planet content and product recommendations are editorially independent. We may make money when you click on links to our partners. Learn More. One of the most powerful defenses an organization can employ against distributed ...
1 year ago Esecurityplanet.com
CVE-2024-38526 - pdoc provides API Documentation for Python Projects. Documentation generated with `pdoc --math` linked to JavaScript files from polyfill.io. The polyfill.io CDN has been sold and now serves malicious code. This issue has been fixed in pdoc 14.5.1. ...
5 months ago
CEO of Ukraine's largest telecom operator describes Russian cyberattack that wiped thousands of computers - In the two months since Russia-linked hackers attacked Ukraine's largest telecom operator, many questions have emerged about how they gained access to the company's systems and lingered there, likely for months, undetected. During a cybersecurity ...
10 months ago Therecord.media
7 Best Attack Surface Management Software for 2024 - Attack surface management is a relatively new cybersecurity technology that combines elements of vulnerability management and asset discovery with the automation capabilities of breach and attack simulation and applies them to an organization's ...
1 year ago Esecurityplanet.com
Ransomware disrupts utilities, infrastructure in January - Ransomware disrupted important U.S.-based utilities and services organizations in January, including a municipal water treatment organization, which is a sector that's become a growing target for attackers. The persistent ransomware threat continued ...
10 months ago Techtarget.com
CVE-2020-1750 - A flaw was found in the machine-config-operator that causes an OpenShift node to become unresponsive when a container consumes a large amount of memory. An attacker could use this flaw to deny access to schedule new pods in the OpenShift cluster. ...
3 years ago
CVE-2018-0092 - A vulnerability in the network-operator user role implementation for Cisco NX-OS System Software could allow an authenticated, local attacker to improperly delete valid user accounts. The network-operator role should not be able to delete other ...
5 years ago
CVE-2023-30841 - Baremetal Operator (BMO) is a bare metal host provisioning integration for Kubernetes. Prior to version 0.3.0, ironic and ironic-inspector deployed within Baremetal Operator using the included `deploy.sh` store their `.htpasswd` files as ConfigMaps ...
1 year ago
Hundreds of Thousands of Dollars Worth of Solana Cryptocurrency Assets Stolen in Recent CLINKSINK Drainer Campaigns - On January 3, 2024, Mandiant's X social media account was taken over and subsequently used to distribute links to a cryptocurrency drainer phishing page. The following blog post provides additional insight into the drainer leveraged in this campaign, ...
11 months ago Mandiant.com
How a Group of Train Hackers Exposed a Right-to-Repair Nightmare - Earlier this month, Polish hackers known as Dragon Sector accused one of Poland's largest train makers, Newag, of intentionally bricking its own trains when they're repaired by third parties. Newag threatened to sue Dragon Sector, but the story ...
11 months ago Packetstormsecurity.com
Black Basta's ransom haul tops $100M in less than 2 years - The Black Basta ransomware gang has raked in more than $100 million from victims of its double-extortion attacks since its emergence early last year, according to researchers. The haul - which included grabbing $9 million from one victim and more ...
1 year ago Packetstormsecurity.com
Attack Surface Management: What is it? Why do you need it? - Traditional asset inventory and vulnerability management software can't keep up to date with the growing attack surface and morphing vulnerabilities. Contrary to other cybersecurity software, Attack Surface Management software operates from a ...
1 year ago Securityboulevard.com
What is a dictionary attack? - A dictionary attack is a method of breaking into a password-protected computer, network or other IT resource by systematically entering every word in a dictionary, or word list, as a password. A dictionary attack can also be used in an attempt to ...
10 months ago Techtarget.com
Cyber Security News Weekly Round-Up May - Mitigating risks promptly and securing critical assets against the latest attack vectors and cyber risks requires situational awareness in this dynamic threat landscape. Company managers are consequently advised to urgently scale up security measures ...
6 months ago Cybersecuritynews.com

Latest Cyber News


Cyber Trends (last 7 days)


Trending Cyber News (last 7 days)