Massive polyfill.io supply chain attack. Teamviewer breached. More MOVEit vulnerabilities. 28th June 2024

News

Hi folks,

I hope you had a productive week! Sit back, relax and learn about how cybersecurity is still a hot flaming mess, but rest easy knowing that you are trying to help change that. You can be proud of yourself, and I am proud of you. That is all.

Also, and above all: enjoy your weekend ;-)

Cheers!

Polyfill.io JavaScript supply chain attack impacts over 100K sites

This is a doozy, and there's a lot to unpack. Bear with me.

Polyfills are pieces of code that emulate certain browser features when the browser doesn't natively support them. So when a user shows up with an old browser and your application wants to make use of some modern feature (for file access, styling, whatever), there are "polyfills" that duplicate the functionality in pure Javascript so that the user with the old browser doesn't notice the difference. And you, as the developer, can rest easy that every user gets the same experience.

The polyfill.js library is a well known provider of such code, and hundreds of thousands of sites pull that code from cdn.polyfill.io.

That domain, however, was recently bought by a Chinese company, who served a malicious version of the library that redirected visitors to spam and other malicious sites.

I'll try to present the rest in brief points:

While the article talks about 100K+ sites, Cloudflare CEO Matthew Prince shared that about 4% of all websites, or tens of millions of websites, uses the Polyfill library in some fashion, making the impact much greater.
The malicious code is pretty devious. It only redirects users during certain hours and only for specific devices, delays itself when it detects an analytics library on the site so that it does 't show up in stats, doesn't run when it detects an admin user, and more.
Cloudflare and Fastly are now intercepting calls to cdn.polyfill.io and directing it to a safe version of the library.
Namecheap, where the domain is hosted, has now suspended the domain.
The new owners of Polyfill.io then claimed they were "maliciously defamed" and have relaunched the JavaScript CDN service on a new domain, polyfill.com.
Namecheap suspended that domain as well.
It's not just Polyfill that is affected, apparently, it's also BootCDN, Bootcss and Staticfile. And it seems like this campaign has been going on for much longer.

I'll stop here for "brevity" sake. There's a lot more to unpack and honestly, not everything is clear to me yet. For example, the creator of the library claims he never owned the polyfill.io domain. But I'm not sure then who did. And is the library itself fine, or was that also sold and hijacked? I've seen contradictory statements there. Anyway, I'm still a bit confused. If you want to dive deeper yourself, here are some more links:

The original post from Sansec: link.
Great article by BleepingComputer with a bunch of extra information, like how the attackers leaked their own private keys in a public repo (!), how it ties into other ongoing campaigns, and some IoC's are shared: link
Good discussion on Hackernews: link.

TeamViewer's corporate network was breached in alleged APT hack

Considering this is about TeamViewer, I figure I'd bump this to a separate item instead of just another breach. Details are still scarce, but so far they say that there's no sign of it impacting customer systems, only their own IT environment, for what that is worth. And they attribute the attack to a Russian APT.

It is worth pointing out that Teamviewer is not giving off good vibes. They originaly called the attack "an irregularity in their environment", they say they will be transparant but had originally made the announcement post uncrawlable by search robots, making it hard to find. And they seem to have screwed up clear lines of communication when sharing news about the breach. I expect better from a piece of software like this.

Progress discloses more MOVEit CVEs, one year after 2023’s fiasco

Just worth noting that this is a thing again. They've not observed active exploitation yet, but attempts are underway.

From dotenv to dotenvx

If you're into devops, like I am, you've probably used .env files to share config and secrets with your app. It's a rather standard way of doing things. (Although there is always a lot of debate on whether it the safest way of working, and if not, which is better.)

I was tickled by this accouncement of the original creator of dotenv on a new and improved way of dealing with .env files, it's worth a read. Good discussion on Hackernews too.

Quick links

LockBit lied: Stolen data is from a bank, not US Federal Reserve: link.
CISA: Most critical open source projects not using memory safe code: link.
US sanctions 12 Kaspersky Lab execs for working in Russian tech sector: link.
Cyber insurance terms drive companies to invest more in security: link.

Breaches and leaks

South Africa’s national health lab hit with ransomware attack amid mpox outbreak: link.
CISA warns chemical facilities of potential data theft: link.
Change Healthcare lists the medical data stolen in ransomware attack: link.
Los Angeles Unified confirms student data stolen in Snowflake account hack: link.
Neiman Marcus confirms data breach after Snowflake account hack: link.
CoinStats says North Korean hackers breached 1,590 crypto wallets: link.
Former IT employee accessed data of over 1 million US patients: link.

Issues and fixes

Critical GitLab bug lets attackers run pipelines as any user: link.
Facebook PrestaShop module exploited to steal credit cards: link.
Backdoor slipped into multiple WordPress plugins in ongoing supply-chain attack: link.
Exploit for critical Fortra FileCatalyst Workflow SQLi flaw released: link.

Implement passwordless logins into your app in seconds

Solid security shouldn't have to come at the expense of a great user experience. That's why Passage by 1Password provides a passwordless auth service that allows you to implement passkey logins in your app or website with just a few lines of code. (Sponsored)