?? Important Update on Polyfill.io Supply Chain Attack and Proactive Measures ??

Dear Network,

We wanted to inform you about a recent critical incident concerning the popular open-source library, polyfill.js, used by over 100K sites including notable users like JSTOR, Intuit, and the World Economic Forum. This library helps support older browsers but has recently become a vector for malicious attacks.

Key Points:

• In February, a Chinese company acquired the domain and GitHub account for polyfill.io.
• Since then, the domain has been used to inject malware into mobile devices via any site embedding cdn.polyfill.io.
• Sansec's research uncovered a malware variant that redirects mobile users to a fraudulent sports betting site, exploiting HTTP headers to dynamically generate attack vectors.
• Google has started blocking Google Ads for eCommerce sites using polyfill.io.
• Cloudflare and Namecheap have taken steps to mitigate the risk by rewriting and putting the domain on hold.

This is a classic example of a supply chain attack. Supply chain attacks occur when an attacker targets vulnerabilities in the third-party services or software that organizations rely on. These attacks can be particularly damaging because they exploit the trust and dependency built into the software ecosystem. By compromising a trusted supplier, attackers can gain widespread access to many organizations and their data.

Why Supply Chain Attacks Are a Major Concern:

1. Widespread Impact: By targeting widely-used components, attackers can affect thousands of websites and applications simultaneously.
2. Trusted Sources: These attacks exploit the inherent trust users place in well-known and widely-used libraries or services.
3. Hidden Threats: The malicious code can be disguised within legitimate updates or code, making it difficult to detect.
4. Complex Attack Vectors: Attackers can dynamically generate malicious payloads based on the specific environment, increasing the complexity of detection and mitigation.

Sansec's research uncovered that the malware variant uses the referer header to determine the source of the request and decide whether to deliver the malicious payload. This sophisticated approach allows the attackers to selectively target mobile users, making it harder to detect and isolate the attack. This method also delayed the discovery of the malware, as it took six months to identify the malicious behavior. The malware's ability to remain dormant in the presence of web analytics services and admin users further complicated detection efforts.

The polyfill.js incident underscores the critical importance of maintaining robust security practices, including:

• Regularly updating and patching software to protect against known vulnerabilities.
• Monitoring for unusual or suspicious activity within your network and applications.
• Using managed services that provide proactive security measures and continuous monitoring.

At MarPoint, we prioritize proactive measures to ensure the security and integrity of our clients' vessel networks. Our team actively patches and maintains systems to prevent such vulnerabilities from being exploited. Additionally, our Web Filtering service retains data for retrospective analysis, allowing us to analyze network traffic and identify any compromised devices or exploits. Using historical data, we can easily validate that all vessel networks are secure and free from this threat. We scan all vessel networks to ensure they remain secure and free from threats.

Stay vigilant and ensure your systems are up-to-date to mitigate similar risks.