Focus Mode
Threat Research

Monitoring the DNS Footprint of Polyfill Supply Chain Attackers

CircleID

Short Summary:

The article discusses the Polyfill supply chain attack, where threat actors compromised popular open-source polyfill projects by injecting malicious JavaScript code. This led to users being redirected to scam sites, particularly affecting mobile device users. Researchers identified indicators of compromise (IoCs) and conducted an analysis of the attack infrastructure, revealing various domains and IP addresses linked to the attack.

Key Points:

  • Threat actors exploit back channels like suppliers and vendors to target organizations.
  • The Polyfill supply chain attack involved injecting malicious scripts into open-source polyfill projects.
  • Compromised polyfills primarily affected mobile device users, redirecting them to scam sites.
  • Cybersecurity researchers identified several indicators of compromise (IoCs) related to the attack.
  • Analysis revealed six domains, two malicious IP addresses, and numerous connected domains.
  • WHOIS lookup showed that most domains were registered through GoDaddy, with a mix of newly registered and aged domains.
  • The U.S. was the top registrant country for the identified domains.
  • Historical WHOIS records provided insights into email addresses associated with the domains.
  • The article emphasizes the importance of conducting further investigations to validate threat information.

MITRE ATT&CK TTPs – created by AI

  • Supply Chain Compromise (T1195)
    • Threat actors target third-party vendors or suppliers to gain access to their primary targets.
  • Malicious Code Injection (T1203)
    • Injection of malicious scripts into legitimate software projects to compromise users.
  • Redirection (T1071)
    • Redirecting users to malicious sites through compromised code.
Protect your privacy:  Get NordVPNDeal: 73% off 2-year plans + 3 extra months

Threat actors can often find targeting certain organizations too much of a challenge. So they need to go through what we can consider back channels—suppliers, vendors, or service providers. The Polyfill supply chain attack may fall into this category, as users with vulnerable content delivery network (CDN) service versions ended up with compromised networks courtesy of a malicious JavaScript code.

A polyfill is a piece of JavaScript code that enables older browsers to have modern functionality they do not natively support. A report on the attack revealed the perpetrators obtained popular polyfill open-source projects and infected the code by injecting malicious scripts into them. Users who downloaded compromised polyfills primarily on mobile devices were then redirected to scam sites.

Many cybersecurity researchers looked into the attack and identified indicators of compromise (IoCs). The WhoisXML API research team got hold of a list of six domains identified as such and examined them more closely to identify other potentially connected artifacts. Our IoC list expansion led to the discovery of:

  • Six IP addresses, two of which turned out to be malicious
  • 104 IP-connected domains
  • 94 string-connected domains

A sample of the additional artifacts obtained from our analysis is available for download from our website.

More on the Polyfill Attack IoCs

To gain a better understanding of the Polyfill attack infrastructure, we looked closer into the six domains identified as IoCs starting with a bulk WHOIS lookup, which revealed that:

  • Only four of the six domains had current WHOIS records.
  • GoDaddy.com LLC led the pack of registrars, accounting for two domain IoCs. DNSPod, Inc. and Namecheap, Inc. accounted for one domain IoC each.

  • The threat actors used a mix of newly registered and aged domains given that the IoCs were created between 2012 and 2024.

  • The U.S. was the top registrant country, accounting for two domain IoCs. China and Iceland accounted for one domain IoC each.

Polyfill Attack DNS Traces

If there’s one thing all cyber attacks have in common, it’s that their perpetrators always leave traces behind. We sought to find such through an IoC expansion analysis for the February 2024 Polyfill supply chain attack.

We began by querying the four domain IoCs on WHOIS History API, which revealed the presence of four email addresses in their historical WHOIS records after duplicates were filtered out. Two of the email addresses were redacted while the other two were public.

Our Reverse WHOIS API queries for the two public email addresses showed that only one appeared in the current WHOIS records of other domains. However, given that the said public email address turned up in the records more than 10,000 domains, it could belong to a domainer.

This post only contains a snapshot of the full research. Download the complete findings and a sample of the additional artifacts on our website or contact us to discuss your intelligence needs for threat detection and response or other cybersecurity use cases.

Disclaimer: We take a cautionary stance toward threat detection and aim to provide relevant information to help protect against potential dangers. Consequently, it is possible that some entities identified as “threats” or “malicious” may eventually be deemed harmless upon further investigation or changes in context. We strongly recommend conducting supplementary investigations to corroborate the information provided herein.

Source: Original Post

Tags: CHINA, DISCOVERY, SCAM, MOBILE, DNS, EMAIL, EXPLOIT