The recent large scale supply chain attack conducted via multiple CDNs, namely Polyfill.io, BootCDN, Bootcss, and Staticfile that affected anywhere from 100,000 to tens of millions of websites has been traced to a common operator, according to researchers.
Researchers discovered a public GitHub repository where the purported operators of Polyfill.io had accidentally exposed their Cloudflare secret keys.
By using these leaked API keys, which were still active, researchers were able to establish that a common operator was behind all four domains, and the wider supply chain attack.
Security researchers and open source intel enthusiasts discovered a GitHub repository associated with the polyfill.io domain involved in a large-scale supply chain attack that is now believed to have impacted tens of millions of websites.
The secrets leaked in the repository enabled researchers to attribute the supply chain attack involving all 4 CDN services, namely, Polyfill.io, BootCDN, Bootcss, and Staticfile, to a single entity.
The exposed file, as also seen by BleepingComputer, contains a Cloudflare API token, Cloudflare Zone ID, and Algolia API keys, among other values.
The Cloudflare API key allowed researchers, in particular mdmck10 to query and obtain a list of active zones associated with the particular Cloudflare account.
Among all domains returned for the Cloudflare account, one was for cdn.
The 430-line JSON file, shared by mdmck10, additionally contained entries for domains, staticfile.net, bootcdn.net, bootcss.com, indicating that these were managed under the same Cloudflare user account, operated by a common entity.
While Cloudflare never authorized Polyfill.io to use its logo and name and never endorsed the service, on Wednesday, the DNS records for Polyfill.io were mysteriously switched to Cloudflare's, indicating that Cloudflare's service were at least partially in use by the domain owners.
We contacted Cloudflare at the time to understand if it was involved in the change in these DNS records, or in helping mitigate the attack, but did not hear back.
MalwareHunterTeam who has closely been monitoring the situation drew attention to the fact that Google's warning to its advertisers regarding the supply chain attack was not limited to ad landing pages embedding polyfill.io, but three more services, Bootcss, BootCDN, and Staticfile.
Shortly after Polyfill.io was shut down by Namecheap, another service polyfill.com was launched by its operators.
If you haven't already, consider replacing existing usage of any of these services with safe alternatives set up by Cloudflare and Fastly.
Polykill.io from cybersecurity firm, Leak Signal, is another handy service that lets you identify websites using Polyfill.io and make the switch.
BleepingComputer attempted to contact the Polyfill Global X account for comment before publishing but they have disabled DMs. With both Polyfill.io and.com domains now down, the admin's email addresses are no longer operational.
Cloudflare: We never authorized polyfill.io to use our name.
Polyfill claims it has been 'defamed', returns after domain shut down.
Polyfill.io JavaScript supply chain attack impacts over 100K sites.
JAVS courtroom recording software backdoored in supply chain attack.
This Cyber News was published on www.bleepingcomputer.com. Publication date: Mon, 01 Jul 2024 10:13:07 +0000