We’re reaching out today to alert you to a significant JavaScript supply chain attack that may have impacted millions of legitimate websites. According to our research, tens of millions of websites, accounting for about 4% of the web, use Polyfill.js, an open-source library designed to improve compatibility with older browsers by embedding JavaScript code.

The Threat

Earlier this year, a Chinese company named Funnull acquired the domain and the GitHub account associated with Polyfill.js. Following this acquisition, they modified the Polyfill.js code to insert malicious code into websites. Any script adopted from cdn.polyfill.io was susceptible to downloading malicious code from Funnull’s site.

Response from Major Players

Cloudflare, Google, and even the Polyfill.io domain provider have taken steps to prevent sites with the malicious “plugin” from loading. Despite these measures, the attacks continue to persist. It is highly recommended that websites using these scripts remove them immediately to prevent further exploitation.

Quick Points

• Scope of Attack: JavaScript supply chain attacks via Polyfill.io have affected tens of millions of legitimate websites, as stated by Cloudflare’s CEO, Matthew Prince.
• Nature of the Attack: Websites using the compromised script have been turned into “watering-holes” for Chinese cyber-attackers, redirecting users to scam sites or malware.
• Affected Entities: Major websites such as Hulu, Intuit, Nintendo, JSTOR, and the World Economic Forum have been affected.
• Preventive Actions: Cloudflare and Google are starting to restrict sites using these malicious scripts.

Immediate Actions

• Review and Remove: Assess your websites for any dependency on Polyfill.io and remove the scripts as necessary.
• Monitor Activities: Keep an eye on unusual activities or signs of malicious code.
• Use Clean Versions: Utilize Fastly or Cloudflare’s “clean” versions of Polyfill scripts when necessary.

Pentest Report Findings

In your next penetration test, look for these report findings:

• Under the “External IP Vulnerability Analysis Log” and “Internal Vulnerability Analysis Log,” you will find Polyfill-related findings listed under the “Web Application Scanning Consolidation / Info Reporting” section.

Stay Secure

As always, we are dedicated to your security. Take these steps promptly to safeguard your digital assets from this ongoing threat.

Managing a business on your own is challenging enough without worrying about cyberattacks. However, there is cause for alarm as hackers are using artificial intelligence (AI) to launch sophisticated cyberattacks to steal your data and disrupt business operations.

The good news is there are steps you can take to protect your business. This blog will explain how AI is being used in cybercrime and how you can safeguard your business.

How hackers use AI

Here are some of the ways cybercriminals are exploiting AI:

Deepfakes: Hackers use AI to create highly realistic fake videos or audio recordings to impersonate someone you know, like your boss or a trusted friend. These deepfakes can be used to trick you into sending money or sharing sensitive information.

How to spot it: Closely look for details like unnatural facial movements or sloppy voice synchronization.

AI-powered password cracking: With the help of AI, cybercriminals can effortlessly crack common and easy passwords. Hackers with access to advanced computation offered by AI can automate the breaching process, so they can try millions of combinations to guess your password.

How to fight back: Always use unique passwords. Consider using a password manager.

AI-assisted hacking: Hackers no longer have to spend hours looking for vulnerabilities. Instead, with the help of AI, they can create automated programs that not only identify weaknesses in your system but also create new types of malware.

How to stay ahead: Keep your security systems and software updated. Also, a mandate should be set up to scan for vulnerabilities routinely.

Supply chain attacks: Threat actors use AI to insert malicious code into legitimate vendor products, which eventually will compromise your system as well. 

How to protect yourself: Only download software from trusted sources. Always be vigilant with updates and patches.

Boost your defenses

AI-powered cybercrime is a growing threat. That’s why having a strong IT partner by your side can be the ultimate weapon in your arsenal. Partner with us to leverage advanced technology to fortify your defenses.

Reach out to us today for a  consultation and learn how our team can secure your business against evolving cyber risks.

Two critical vulnerabilities, identified as CVE-2024-21887 and CVE-2023-46805, are opening the door for data to be stolen, and they don’t stop there.  In addition, they allow for modifications to existing files in your environment and for remote files to be downloaded. 

So please REMOVE COMPROMISED DEVICES from your network and immediately prepare for an upcoming patch. 

There has been an emergency directive issued by CISA to mitigate all Ivanti 0-day vulnerabilities. 

Quick Points: 

• Vulnerabilities: CVE-2024-21887 (Command Injection) and CVE-2023-46805 (Authentication Bypass) 
• Likelihood: Low to Medium. Approximately 15,000-20,000 VPN gateways are potentially exposed 
• Impact: High. Potential for unauthenticated remote code execution, data theft, file modification, and reverse tunneling 
• Current Mitigation IS UNSTABLE: Ivanti has released an XML file as a temporary workaround that IS UNSTABLE 

What a year! 

I think we all deserve a quieter 2024, and that’s why I’m sending out this special edition Threat Intelligence.  Let’s see what we can learn from 7 dangerous themes that emerged in 2023 and apply those lessons to your MSP and your clients’ organizations.  

1. Ransomware Renaissance: Top of the list?  Yep.  The big casino heist. Was this the worst event of 2023? Probably not. It does, however, help us understand that no one is safe. The most important point of this story – casinos are highly regulated, have great training programs, and have people who are great at following rules.

2. Credential Crisis: This got really ugly in 2023.  Attackers got onto networks like normal users, then moved throughout the environment with privileged access. How is this lateral movement happening? The attackers were able to move through the network using single sign on tokens. Whether you’re using passwords, multifactor authentication, or password-less authentication – as long as trust exists in the network, a temporary login artifact is stored. That login artifact can often be replayed, leading to this lateral movement.  

a. BOTTOM LINE: In 2024, this type of lateral movement will continue.  

b. PRO TIP: Make sure you have user identity management and a mechanism in place to protect that user identity management system. Tokens and login artifacts should be treated as the crown jewels of your network. What mechanisms do you have in place to protect them from hackers? 

3. Supply Chain Siege: In 2023, hackers didn’t just use vulnerabilities.  They also gained access through vendors and supply chain attacks. In one example, over 60 Credit Unions’ networks were held for ransom. The way in? Using access one of their vendors had to their networks to deploy ransomware. These supply chain attacks are not single events, or unlucky breaks for the victims. They represent a continued trend that hackers where are exploiting weakness in an organization’s supply chain. 

a. BOTTOM LINE: This trend will continue into 2024 and beyond.  

b. PRO TIP: Steps to reduce the risk of supply chain threat include vendor evaluation, least privilege, and testing. The easiest way to test supply chain risk or insider threat exposure is a recurring penetration test focused on these threat vectors. As leaders in cybersecurity, educating organizations of this risk and testing is a necessity. 

3. Data Deluge: The biggest data breaches we’ve ever seen: 3.8 billion email and password combinations leaked to the dark web. You might be thinking you have multifactor authentication, so this isn’t a big deal. But here’s the thing: this data is used to improve the models hackers use to socially engineer their victims. The data is imported into tools to build social webs and AI models that allow hackers to figure out how people are connected and how to create an effective pretext while phishing users. 

a. BOTTOM LINE: This has been lucrative for hackers, so it’s probably part of their 2024 success plan already. 

b. PRO TIP: User training will be a critical component of your 2024 cyber security strategy. 

5. Email Compromise: Got a story about someone who wired money to a scam?  Well, join the crowd.  That was a huge issue in 2023, and if you haven’t heard a story about it, well, you’ve been living under a rock.   

a. BOTTOM LINE: The data shows that the number of victims and the amounts of money lost to these attacks continues to rise. 

b. PRO TIP: I recommend having a Funds Transfer Policy as part of the decisions you are guiding your clients on about security in Q1 of 2024. You’ll also want to include a M365 hardening project as part of your 2024 recommendations. Check out SecOps 160 for more details on this one. There’s even a script and a worksheet that will help you get it done. 

6. Unpreparedness Unraveled: Organizations often make assumptions about how prepared they are, and this is truly dangerous. This year, I personally helped 11 different MSPs respond to ransomware events. Only one of them had a solid plan that was both documented and tested with their client.   

a. BOTTOM LINE: Many organizations are assuming their IT teams have this under control.  

b. PRO TIP: Your opportunity in 2024 is to educate your clients that incident response and recovery is an operational issue, not just an IT issue. Help your clients by offering tabletop exercises as a starting point to find out where they need practice. Build this into your compliance as a service offering. And yes, all of your clients need compliance as a service. 

7. Compliance Conundrum: Compliance has changed cybersecurity forever and it’s just getting started. CMMC might only impact less than 5% of your clients, and maybe it will be years before any real case law exists or enforcement happens around it. However, cyber insurance requires a compliance program, and when people sign up for cyber insurance, they make commitments to security controls. Making these commitments means, not only do you have to implement them, but you also have to gather evidence that these controls are implemented.  The key is to build out a compliance program that will be able to be iterated and expanded to support other standards like SOC2, ISO27001, CMMC, PCI, or FTC Safeguards as they become more mainstream. 

a. BOTTOM LINE: In 2024, part of your security strategy should include introducing your clients to compliance programs and educating them. This elevates you from a security perspective into a thought leader and advisor. 

b. PRO TIP: To get started, we have a turnkey system in the portal that you can use on your clients and your own MSP to build your compliance program. 

Ultimately in 2024 the MSPs who will see the most growth are also the ones that are thinking about what happened in 2023 from a security standpoint and coming up with ways to reduce these risks in their 2024 offerings.  

Inquire now to get you started on this journey!