Multiple Google Chrome Vulnerabilities
June 26, 2024New MOVEit Vulnerability Actively Exploited Right After Disclosure
June 26, 2024Multiple Google Chrome Vulnerabilities
June 26, 2024New MOVEit Vulnerability Actively Exploited Right After Disclosure
June 26, 2024Severity
High
Analysis Summary
After a Chinese company bought the domain and changed the JavaScript library ("polyfill.js") to reroute users to fraudulent and scam sites, Google took steps to prohibit adverts for e-commerce sites that use the Polyfill[.]io service.
The supply chain attack affects around 110,000 sites that incorporate the library, according to recent research. Polyfill, a well-known library, adds compatibility for contemporary features in web browsers. Concerns were voiced in February after Funnull, a China-based content delivery network (CDN) provider, purchased it.
Although most features added to the web platform are quickly adopted by all major browsers, such as Web Serial and Web Bluetooth, most websites today do not require any of the polyfills in the polyfill[.]io library, according to Andrew Betts, the original creator of the project, who urged website owners to remove it immediately. To assist users in switching from Polyfill.io, the development also motivated web infrastructure providers Cloudflare and Fastly to create alternate endpoints.
Any website that includes a connection to the original polyfill[.]io domain is now vulnerable to a supply chain attack risk since it is dependent on Funnull to maintain and secure the underlying project. Such an attack would occur if the underlying third party was compromised or if malicious changes were made to the code served to end users, affecting all websites that use the tool.
Since then, the domain "cdn.polyfill[.]io" has been found injecting malware that drives users to sports betting websites, according to the researchers. The code only activates on particular mobile devices at defined hours and has special protection against reverse engineering. Moreover, it remains inactive upon identifying an administrator user. To avoid showing up in the statistics, it additionally postpones execution when a web analytics service is discovered.
Impact
- Exposure of Sensitive Data
- Financial Loss
- Information Theft
Indicators of Compromise
URL
- https://kuurza.com/redirect?from=bitget
- https://www.googie-anaiytics.com/html/checkcachehw.js
- https://www.googie-anaiytics.com/ga.js
Remediation
- Block all threat indicators at your respective controls.
- Search for indicators of compromise (IOCs) in your environment utilizing your respective security controls.
- Immediately remove all instances of Polyfill from your website.
- Regularly change passwords for all accounts and use strong, unique passwords for sensitive accounts.
- Implement multi-factor authentication (MFA) on all accounts to add an extra layer of security to login processes.
- Consider the use of phishing-resistant authenticators to further enhance security. These types of authenticators are designed to resist phishing attempts and provide additional protection against social engineering attacks.
- Regularly monitor network activity for any unusual behavior, as this may indicate that a cyberattack is underway.
- Organizations need to stay vigilant and follow best practices for cybersecurity to protect their systems and data from potential threats. This includes regularly updating software and implementing strong access controls and monitoring tools.
- Develop a comprehensive incident response plan to respond effectively in case of a security breach or data leakage.
- Maintain regular backups of critical data and systems to ensure data recovery in case of a security incident.
- Adhere to security best practices, including the principle of least privilege, and ensure that users and applications have only the necessary permissions.
- Establish a robust patch management process to ensure that security patches are evaluated, tested, and applied promptly.
- Conduct security audits and assessments to evaluate the overall security posture of your systems and networks.
- Implement network segmentation to contain and isolate potential threats to limit their impact on critical systems.
- Never trust or open links and attachments received from unknown sources/senders.