Week of July 5th, 2024
Welcome to Your Cybersecurity Recap: a bite-sized weekly newsletter by cybersecurity enthusiasts, for cybersecurity enthusiasts.
Here are this week’s top takeaways:
Breaking News: Polyfill.io Attack Impacts Over 380,000 Hosts–a Broader Scope Than First Assumed
The supply chain attack targeting the widely-used Polyfill JavaScript library is wider in scope than previously thought, with new findings first reported on by The Hacker News detailing that 380,000 hosts are embedding a polyfill script linking to the malicious domain.
Big name brands impacted by this attack include, but are not limited to, WarnerBros, Hulu, Mercedes-Benz, and Pearson.
Polyfill offered widely used fragments of code for older or outdated browsers that allowed the use of modern Javascript features. These fragments serve the purpose of easing the workload of developers and permitting compatibility with a broader range of browsers. However, because the malicious code was inserted into these fragments, web users utilizing an infected website could unwittingly implement the malware in their browser.
Security professionals have found that the malicious code used generates payloads that differ based on HTTP headers, which, in turn, grant greater obfuscation by activating only on specific devices, delaying execution, and avoiding admin users–making detection more difficult.
The development has since prompted domain registrar Namecheap to suspend the domain, content delivery networks such as Cloudflare to automatically replace Polyfill links with domains leading to alternative safe mirror sites, and Google to block ads for sites embedding the domain.
This news comes alongside WordPress security company Patchstack warning of further risks posed by the Polyfill supply chain attack on sites running the content management system (CMS) through dozens of legitimate plugins that link to the rogue domain.
Security Professionals Are Reporting a New Botnet Capable of Sophisticated DDoS Attacks
Cybersecurity researchers have uncovered a new botnet called Zergeca that's capable of conducting distributed denial-of-service (DDoS) attacks.
There is evidence to suggest that the malware is actively developing and updating the malware to support new commands. Based on the C2 IP address, 84.54.51[.]82, it is said that Zergeca has been previously used to distribute the Mirai botnet around September 2023.
Furthermore, as of April 29th, the same IP address began to be used as a C2 server for the new botnet, raising the possibility that the threat actors "accumulated experience operating the Mirai botnets before creating Zergeca."
Recommended by LinkedIn
Attacks mounted by the botnet–namely ACK flood DDoS attacks–have targeted Canada, Germany, and the U.S. between early and mid-June 2024.
Zergeca's features span four distinct modules: persistence, proxy, silivaccine, and zombie. Each adds a system service, implementing proxying, removing competing miner and backdoor malware and gaining exclusive control over devices running the x86-64 CPU architecture, and handles the main botnet functionality.
Operations Restored to Co-Ops Across Western Canada After Widespread Cyberattack
As of July 4th, all 398 Co-op cardlock fuel stations across western Canada have returned to full operation and can once again service customers–signaling an end to the widespread disruptions first triggered by a cybersecurity incident the week prior.
“Our team has been working around the clock to recover our cardlock network and we want to thank Co-op cardlock customers for their patience and understanding throughout this process,” Federated Co-operatives Limited said in a statement.
Co-op’s cardlock stations are used by transport trucks,--among other large or corporate vehicles–and are separate from the co-operative’s regular retail pumps. They provide members with 24-hour self-serve access to fuel pumps
Saskatoon-based company FCL announced on June 28 that it was grappling with a cybersecurity incident that was affecting internal systems, local retail Co-ops and cardlock fuel locations. It led the company to shut down some of its systems and investigate.
This past Wednesday, FCL said in a statement that it was working to get more cardlocks back in service every day, and that enabling the remainder to be back online was the topmost priority alongside restocking key grocery items and consumer goods for delivery.
In 2024, the connection between cybersecurity and reputation management has never been stronger. In our increasingly digital age, the way a brand identifies (and manages) itself determines how the public views its reputation... and that reputation heavily influences an organization's long-term success.
With cyberattacks like this week’s continuing to escalate year over year, the best offense is a proactive defense. Security professionals recommend taking the following steps to evaluate potential cybersecurity threats, and, in turn, work to mitigate both reputational and operational damages:
What are your thoughts on this week’s cyber incidents?