June 28, 2024 at 09:01AM
A large scale supply chain attack affecting numerous websites has been traced to a common operator. Leaked Cloudflare secret keys revealed the connection between the attack and the CDN services Polyfill.io, BootCDN, Bootcss, and Staticfile. Collaborative efforts of several security researchers contributed to the discovery. The attack’s widespread impact and ongoing nature require vigilance and possible domain replacements.
Based on the provided meeting notes, the key takeaways are:
1. A large scale supply chain attack affected multiple CDNs, namely Polyfill.io, BootCDN, Bootcss, and Staticfile, with potentially tens of millions of websites impacted. The attack has been traced back to a common operator.
2. The attackers accidentally exposed their Cloudflare secret keys on a public GitHub repository, inadvertently leading researchers to link the supply chain attack to a single entity.
3. The exposed Cloudflare API keys allowed researchers to unravel the connection between all four CDN services and identify a common entity behind the attack.
4. The attack is believed to have been ongoing since June 2023 and its full impact is yet to be fully assessed.
5. Despite the shutdown of Polyfill.io and its relaunch as Polyfill.com, concerns remain that the operators could have hoarded multiple domains with different registrars, potentially leading to a “whack-a-mole” situation if these domains are actively deployed.
6. Organizations are advised to replace their usage of the affected services with safe alternatives provided by Cloudflare and Fastly, and utilize services like Polykill.io from cybersecurity firm Leak Signal to identify websites using Polyfill.io and make the switch.
These takeaways provide a clear understanding of the supply chain attack and its implications, and can guide further action and decision-making by relevant stakeholders.