Hi folks,
I wonder if I interpret the following right. The "Domain" polyfill.io is listed at Fortiguardservices as "bad" since 26th of June 2024.
See: Threat Signal Report | FortiGuard Labs
We recognized in our FGT, that we have logs about botnet-cc-connections exactly to this domain (polyfill.io). Our investigations show that our DC is trying to lookup the domain. When it tries it, the FGT redirects the request, which is good.
My assumption now is, that our clients (or some of them) are trying to lookup polyfill.io, ask our Domaincontroller/DNS and the DC/DNS is forwarding the request to the provider-dns. Then the FGT blocks it.
As polyfill.io was not "bad" before 26th of june and a lot of websites use the services of polyfill.io i further assume, that our clients are simply surfing to websites, which use this "tool" (polyfill) and then we got the botnetwarning.
We have not found any indication of a infection at our internal computers till now.
So, what do you think? Is my assumption something you say: Yes this is a way it might be, or do you think that this has to be an infection of our internal client(s)?
Thanks!
Given how fresh the advisory about polyfill.io being taken over by a malicious actor is, this is more likely to be innocent clients accessing regular websites that are using the polyfill JS library. Still, it won't hurt paying closer attention to your clients just to be safe.
Btw, according to the original source's updates ( https://sansec.io/research/polyfill-supply-chain-attack ), it looks like the cdn.polyfill.io domain has been withdrawn completely from DNS (doesn't resolve to anything anymore), so risks from this specific hostname should be mitigated for now. But look out for the others (mentioned in the same link).
I have the same kind of issue. Getting several IOC's where polyfill.io is blocked, which is good. But looking at the destination IP in the IOC message it looks like this IP is belonging to Fortinet? Can't put my finger on it.
If the IP is 208.91.112.55, that means it was initially caught and blocked/redirected by the DNS filter, as this is the default redirect-IP for blocked DNS requests.
Ok, I get it now. This is indeed the IP. Thanks for the quick reply.
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1740 | |
1108 | |
752 | |
447 | |
240 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.