"The malicious code, which targeted mobile users with evasion techniques and redirected them to betting or adult sites, was confirmed by security firms Sansec and C/side in June 2024. The attack affected more than 100,000 websites that embedded the library, prompting widespread recommendations to remove references to the Polyfill domain immediately due to the risk of malicious activity with an even greater impact."
"The involvement of Funnull led to the belief that this was a Chinese operation. However, evidence uncovered recently by Hudson Rock, a cybersecurity firm specializing in infostealer malware intelligence, indicates that Funnull was likely just a "corporate front" for an operation that also involved North Korean threat actors."
"According to Hudson Rock, the data collected by the malware enabled the security firm to "establish an ironclad chain of evidence linking the North Korean operator to the Chinese syndicate and the Polyfill control panels". Hudson Rock said the evidence collected by the malware from the North Korean hacker's device included credentials for the Funnull DNS."
The Polyfill.io service was compromised in February 2024 after acquisition by Chinese CDN company Funnull, which injected malicious JavaScript targeting mobile users with redirects to betting and adult sites. Over 100,000 websites were affected, prompting immediate removal recommendations. Initially attributed to China, Hudson Rock's investigation of infostealer malware revealed North Korean threat actors' involvement. Evidence from a compromised device used by North Korean hackers, infected with LummaC2 malware, established connections between the North Korean operators, Chinese syndicate, and Polyfill control panels, indicating Funnull operated as a corporate front for a coordinated international operation.
#supply-chain-attack #north-korea-threat-actors #polyfillio-compromise #malware-intelligence #cybersecurity-incident
Read at SecurityWeek
Unable to calculate read time
Collection
[
|
...
]