Weekly Threat Intelligence Report

Date: June 28, 2024

Prepared by: David Brunsdon, Threat Intelligence - Security Engineer, HYAS

Recently a Chinese company named Funnull purchased the domain (polyfill.io) and github of an open source javascript library used in over 100,000 websites.

https://sansec.io/research/polyfill-supply-chain-attack

Polyfill allows website creators to maintain support for a variety of older browser types, however its operation has changed to include redirecting mobile devices to sports betting using a fake google analytics domain (www.googie-anaiytics.com).

For users of HYAS Protect, HYAS disables DNS resolutions that would lead to these redirects and other potential compromises. DNS is the ideal place to block potentially malicious CDNs, like we have here. Other vendors, such as Cloudflare, have also responded by rewriting any Polyfill code to redirect to their own cached copy of the javascript library. Today, Namecheap, the provider of the domain, has taken it over and removed the A record and completely disabling the threat.

Oddly enough, Funnull has denied the existence of any supply chain attack, and has registered a new domain, polyfill[.]com which is described on the web page as “A free CDN for open source projects.”

Supply chain attacks through open source products remain a serious attack vector. In this situation the original maintainer sold control to another company that appears to have a malicious intent. Situations like these have the potential to impact a large number of individuals and organizations and this type of potential compromise should always be considered a part of an organization's threat model.

HYAS threat intelligence will continue to monitor the situation and will adapt our security solution as required.

Security analysts interested in researching their own network telemetry for compromise should focus on outbound connections to the following domains:

cdn.polyfill[.]io
www.googie-anaiytics[.]com
polyfill[.]com

The new domain, polyfill[.]com has not been known to be used with any malicious behavior but the concern remains about how it could be used in the future, as it’s still under the control of Funnull, who has denied the existence of the supply chain attack. 

As always, the HYAS Threat Intelligence team is at the ready. If you’d like to speak with one of our experts, please reach out to us, and we’d be happy to help. 

Want more threat intel on a weekly basis?
Follow HYAS on LinkedIn
Follow HYAS on X

Read past reports:
Tracking an Active Remcos Malware Campaign

Revealing LOTL Techniques Used by An Active Remcos Malware Campaign

Agent Tesla Unmasked: Revealing Interrelated Cyber Campaigns

Risepro Malware Campaign On the Rise

Sign up for the free HYAS Insight Intel Feed

Learn More About HYAS Insight

An efficient and expedient investigation is the best way to protect your enterprise. HYAS Insight provides threat and fraud response teams with unparalleled visibility into everything you need to know about the attack.This includes the origin, current infrastructure being used and any infrastructure.

Read how the HYAS Threat Intelligence team uncovered and mitigated a Russian-based cyber attack targeting financial organizations worldwide.

More from HYAS Labs

Polymorphic Malware Is No Longer Theoretical: BlackMamba PoC.

Polymporphic, Intelligent and Fully Autonomous Malware: EyeSpy PoC.

Five Proven Techniques to Optimize Threat Intelligence

Leveraging ASNs and Pivoting to Uncover Malware Campaigns

Disclaimer: This Threat Intelligence Report is provided “as is” and for informational purposes only. HYAS disclaims all warranties, express or implied, regarding the report’s completeness, accuracy, or reliability. You are solely responsible for exercising your own due diligence when accessing and using this Report's information. The analyses expressed in this Report reflect our current understanding of available information based on our independent research using the HYAS Insight platform. The Report’s inclusion of any companies, organizations, or ASNs does not imply any wrongdoing on their part; it is simply an indication of where digital threat activities have been observed. HYAS reserves the right to update the Report as additional information is made known to us.