Home / Industry

Tracking the DNS Footprint of the Polyfill Supply Chain Attackers

Protect your privacy:  Get NordVPN  [73% off 2-year plans, 3 extra months]
10 facts about NordVPN that aren't commonly known
  • Meshnet Feature for Personal Encrypted Networks: NordVPN offers a unique feature called Meshnet, which allows users to connect their devices directly and securely over the internet. This means you can create your own private, encrypted network for activities like gaming, file sharing, or remote access to your home devices from anywhere in the world.
  • RAM-Only Servers for Enhanced Security: Unlike many VPN providers, NordVPN uses RAM-only (diskless) servers. Since these servers run entirely on volatile memory, all data is wiped with every reboot. This ensures that no user data is stored long-term, significantly reducing the risk of data breaches and enhancing overall security.
  • Servers in a Former Military Bunker: Some of NordVPN's servers are housed in a former military bunker located deep underground. This unique location provides an extra layer of physical security against natural disasters and unauthorized access, ensuring that the servers are protected in all circumstances.
  • NordLynx Protocol with Double NAT Technology: NordVPN developed its own VPN protocol called NordLynx, built around the ultra-fast WireGuard protocol. What sets NordLynx apart is its implementation of a double Network Address Translation (NAT) system, which enhances user privacy without sacrificing speed. This innovative approach solves the potential privacy issues inherent in the standard WireGuard protocol.
  • Dark Web Monitor Feature: NordVPN includes a feature known as Dark Web Monitor. This tool actively scans dark web sites and forums for credentials associated with your email address. If it detects that your information has been compromised or appears in any data breaches, it promptly alerts you so you can take necessary actions to protect your accounts.

Threat actors can often find targeting certain organizations too much of a challenge. So they need to go through what we can consider back channels—suppliers, vendors, or service providers. The Polyfill supply chain attack may fall into this category, as users with vulnerable content delivery network (CDN) service versions ended up with compromised networks courtesy of a malicious JavaScript code.

A polyfill is a piece of JavaScript code that enables older browsers to have modern functionality they do not natively support. A report on the attack revealed the perpetrators obtained popular polyfill open-source projects and infected the code by injecting malicious scripts into them. Users who downloaded compromised polyfills primarily on mobile devices were then redirected to scam sites.

Many cybersecurity researchers looked into the attack and identified indicators of compromise (IoCs). The WhoisXML API research team got hold of a list of six domains identified as such and examined them more closely to identify other potentially connected artifacts. Our IoC list expansion led to the discovery of:

  • Six IP addresses, two of which turned out to be malicious
  • 104 IP-connected domains
  • 94 string-connected domains

A sample of the additional artifacts obtained from our analysis is available for download from our website.

More on the Polyfill Attack IoCs

To gain a better understanding of the Polyfill attack infrastructure, we looked closer into the six domains identified as IoCs starting with a bulk WHOIS lookup, which revealed that:

  • Only four of the six domains had current WHOIS records.
  • GoDaddy.com LLC led the pack of registrars, accounting for two domain IoCs. DNSPod, Inc. and Namecheap, Inc. accounted for one domain IoC each.
  • The threat actors used a mix of newly registered and aged domains given that the IoCs were created between 2012 and 2024.

  • The U.S. was the top registrant country, accounting for two domain IoCs. China and Iceland accounted for one domain IoC each.

Polyfill Attack DNS Traces

If there’s one thing all cyber attacks have in common, it’s that their perpetrators always leave traces behind. We sought to find such through an IoC expansion analysis for the February 2024 Polyfill supply chain attack.

We began by querying the four domain IoCs on WHOIS History API, which revealed the presence of four email addresses in their historical WHOIS records after duplicates were filtered out. Two of the email addresses were redacted while the other two were public.

Our Reverse WHOIS API queries for the two public email addresses showed that only one appeared in the current WHOIS records of other domains. However, given that the said public email address turned up in the records more than 10,000 domains, it could belong to a domainer.

This post only contains a snapshot of the full research. Download the complete findings and a sample of the additional artifacts on our website or contact us to discuss your intelligence needs for threat detection and response or other cybersecurity use cases.

Disclaimer: We take a cautionary stance toward threat detection and aim to provide relevant information to help protect against potential dangers. Consequently, it is possible that some entities identified as “threats” or “malicious” may eventually be deemed harmless upon further investigation or changes in context. We strongly recommend conducting supplementary investigations to corroborate the information provided herein.

By WhoisXML API, A Domain Research, Whois, DNS, and Threat Intelligence API and Data Provider

Whois API, Inc. (WhoisXML API) is a big data and API company that provides domain research & monitoring, Whois, DNS, IP, and threat intelligence API, data and tools to a variety of industries.

Visit Page

Filed Under

Comments

Commenting is not available in this channel entry.
CircleID Newsletter The Weekly Wrap

More and more professionals are choosing to publish critical posts on CircleID from all corners of the Internet industry. If you find it hard to keep up daily, consider subscribing to our weekly digest. We will provide you a convenient summary report once a week sent directly to your inbox. It's a quick and easy read.

Related

Topics

New TLDs

Sponsored byRadix

Domain Names

Sponsored byVerisign

Threat Intelligence

Sponsored byWhoisXML API

Cybersecurity

Sponsored byVerisign

IPv4 Markets

Sponsored byIPv4.Global

DNS

Sponsored byDNIB.com

Brand Protection

Sponsored byCSC