The Attacker Screwed Up, But So Did The Providers We Trust
The recent attacks against customers of Polyfill.io, BootCDN, Bootcss, and Staticfile were a complete CDN nightmare this week, but there is some semi-good news for everyone. Thanks to eagle eyed security researchers, a public GitHub repository was discovered to contain the Cloudflare secret keys which enabled the attacks to succeed. This also revealed that all four hijacks came from a single source, as they all shared code found in the repository.
The knowledge that it is a single group doesn’t help as much as getting access to some of the code does. The leak means that we know the active zones associated with the attackers Cloudflare account, which means they can be blocked. It also gives sysadmins the data they need to scan their logs to see if their data was misdirected. Hopefully it will also lead to protections put in place to stop the spread.
The attackers were not the only ones that made a huge mistake. Over at Bleeping Computer you can see a notice sent by Google ads notifying Polyfill.io their main service polyfill.io, and three more, Bootcss, BootCDN, and Staticfile all had suspicious redirects. Unfortunately that warning was completely ignored and the attacks continued. If someone had actually acted on the warning then the attacks could have been limited if not stopped completely.
Hopefully by next week there will be good news for anyone still using those services.
Source link
