The attacker made a mistake, but so did the vendors we trust
The recent attacks against Polyfill.io, BootCDN, Bootcss, and Staticfile customers were a complete nightmare for CDNs this week, but there is some good news for everyone. Thanks to eagle-eyed security researchers, it was discovered that a public GitHub repository contained Cloudflare’s secret keys that allowed the attacks to succeed. This also revealed that all four hacks came from a single source, as they all shared the code found in the repository.
Knowing that it was a single group doesn’t help as much as having access to a piece of code. The leak means we know the hotspots associated with the attackers’ Cloudflare account, meaning they can be blocked. It also gives sysadmins the data they need to scan their logs and see if their data has been misdirected. Hopefully, it will also lead to protective measures being put in place to stop the spread.
The attackers weren’t the only ones who made a big mistake. On Bleeping Computer you can see a notice sent by Google Ads notifying Polyfill.io that its main service, polyfill.io, and three others, Bootcss, BootCDN, and Staticfile, had suspicious redirects. Unfortunately, that warning was completely ignored and the attacks continued. If someone had acted accordingly, the attacks could have been limited or even stopped completely.
Hopefully next week there will be some good news for anyone still using those services.