Polyfill is an open-source library that supports older browsers, and Polyfill.js is an open-source JavaScript source used by more than 100,000 sites worldwide. Recently, the domains using Polyfill.js were identified to have been exposed to malware attacks. This article will cover a supply chain malware attack targeting the Polyfill.io domain.
Polyfill Supply Chain Malware Attack Inducing Data Theft
According to an investigation by security firm Sansec, Polyfill’s supply chain attacks began in February this year when a Chinese company named Funnull acquired the domain of Polyfill.io and modified its JavaScript library (Polyfill.js) to inject malicious code that redirects mobile users to malicious sites.
They attempted to lure users to harmful sites such as sports gambling and adult sites to steal their personal information and data. Some of the domains used include well-known payment services as well, which raises concerns about large-scale data theft. In particular, a fake Google Analytics domain (www[.]googie-anaiytics[.]com) was also used in the attack to redirect mobile users to sports betting sites. Such cases of exploiting global sites for attacks led to wider supply chain attacks.
In response to increasing damage, on June 25, Google began blocking Google ads from e-commerce sites that use polyfill.io. The attack activates a dynamically generated code based on an HTTP header, only at a specific time and on a particular mobile device. It is also designed to delay the execution when administrator users or web analytics services are detected, so it even impedes reverse engineering techniques.
Searching for Externally Exposed IP Addresses Associated With Polyfill Using a CTI Search Engine
As this Polyfill attack technique is difficult to trace back, even the code makers of Polyfill are advising not to use Polyfill, as Polyfill is no longer needed in the latest browsers.
If it is difficult to change the code used by Polyfill.js immediately, or if it is difficult to identify the domains using Polyfill, you can take measures by searching for the Polyfill-related IP addresses and domains that are exposed externally through the CTI threat-hunting search engine.
In the Asset Search of Criminal IP, a CTI search engine, you can easily find associated IP addresses that use Polyfill as a technical stack.
Search Query: tech_stack:Polyfill
There are a total of 98,076 IP addresses detected that are using Polyfill as a technology stack, the highest number of which was in the US, 36,175, followed by 10,378 in Japan and 9,378 in China.
In addition, if you select an IP address from the retrieved results, you can check the information on the port and banner that use Polyfill in the IP address report as well. In other words, by searching the IP address that you are directly managing, you can see if Polyfill is applied.
The Polyfill creators are advising to delete Polyfill domains immediately and suggesting Fastly and Cloudflare as alternatives. The best way to prevent supply chain attacks is therefore to delete the problematic domain, as recommended by Polyfill creators, but as a pre-measure, you can use the CTI search engine to determine whether the IP address and the domain are being abused. Furthermore, it is important to constantly monitor to check whether the open-source script you are using has not been maliciously modified, as it shows that open-source libraries could be targeted by malware.
For prevention and response to supply chain attacks, refer to the 2024 Software Supply Chain Security Guidelines for Developers and Software Companies.
This report is based on data from Criminal IP, a Cyber Threat Intelligence search engine. Sign up for a free Criminal IP account today to explore the search results mentioned in the report and delve into comprehensive threat intelligence.
Source: Criminal IP (https://www.criminalip.io)
Related Article(s):