On June 25th, Sansec.io discovered that polyfill.io, a popular open source library to support older browsers, was being used to distribute malware. ThreatSTOP has identified a significant uptick in malicious activity originating from the previously trusted service. Our telemetry indicates that a small number of isolated customers have been impacted, revealing alarming trends that necessitate immediate action.

Understanding the Threat Landscape

Polyfill.io was widely adopted for its efficiency in delivering polyfills necessary for browsers to support modern web standards. However, recent developments have transformed this once-reliable service into a conduit for malicious code. Our proactive ThreatSTOP Security, Intelligence, and Research team has detected and blocked millions of requests associated with these threats, ensuring our customers remain protected. Initially, we blocked the www.googie-anaiytics.com domain to prevent redirection (refer to the Sansec.io blog for more details). Subsequently, we implemented further measures to block all malicious domains used by the attackers, including the somewhat controversial step of blocking cdn.polyfill.io entirely to prevent the malicious code from being executed. Namecheap, the registrar for Polyfill.io, has taken the domain offline despite the dispute from the current Chinese owners. Additionally, Cloudflare has begun real-time rewrites of cdn.polyfill.io to their own version, further mitigating the risk.

Telemetry Insights

Our latest telemetry data showcases the extent of this emerging threat:
- cdn.polyfill.io: Over 5 million hits detected, highlighting its widespread use and potential for harm.
- polyfill.io: Nearly 1.6 million hits.
- www.googie-anaiytics.com: Over 4,000 hits, representing a clear attempt to masquerade as Google Analytics and deceive users.

These indicators of compromise (IOCs) underscore the aggressive nature of this campaign, leveraging trusted services to infiltrate and exploit web applications.

How ThreatSTOP Protects You

ThreatSTOP’s suite of products offers comprehensive protection against such threats:

1. Protective DNS: By utilizing our cloud-based DNS servers, customers are shielded from malicious domains like cdn.polyfill.io and polyfill.io. Our cloud infrastructure ensures real-time updates and proactive blocking of harmful content. For customers managing their own DNS servers, our DNS Defense solution provides robust protection by integrating ThreatSTOP intelligence directly into their network infrastructure. This ensures that even locally managed environments are safeguarded against evolving threats.

2. IP Defense: This versatile solution allows for the management of block lists on any IP-based system, including routers, firewalls, and AWS WAF. By blocking known malicious IP addresses, IP Defense prevents unauthorized access and mitigates risks associated with compromised domains.

Our proactive approach is driven by the ThreatSTOP Security, Intelligence, and Research team, who continuously analyze and update protections against command and control, invalid traffic, peer-to-peer communication, data exfiltration, phishing, SPAM, and Distributed Denial of Service (DDoS) activities.

Recommended Actions

Given the severity of the threat posed by Polyfill.io and its associated domains, we recommend the following immediate actions:
1. Remove Polyfill.io scripts: Eliminate any reference to Polyfill.io from your website to prevent malicious code from reaching your visitors.
2. Reduce External Scripts: Minimize the use of third-party scripts to lower the potential attack surface.
3. Leverage ThreatSTOP Solutions: Utilize our Protective DNS, and IP Defense products to ensure comprehensive protection across all environments.

Connect with Customers, Disconnect from Risks

For those interested in joining the ThreatSTOP family or learning more about our proactive protections for all environments, we invite you to visit our product page. Discover how our solutions can make a significant difference in your digital security landscape. We have pricing for all sizes of customers! Get started with a demo today!

By staying vigilant and leveraging advanced protective measures, we can collectively enhance our defenses against the ever-evolving cyber threat landscape.