Week of July 5th, 2024

Welcome to Your Cybersecurity Recap: a bite-sized weekly newsletter by cybersecurity enthusiasts, for cybersecurity enthusiasts.

Here are this week’s top takeaways:

Breaking News: Polyfill.io Attack Impacts Over 380,000 Hosts–a Broader Scope Than First Assumed

The supply chain attack targeting the widely-used Polyfill JavaScript library is wider in scope than previously thought, with new findings first reported on by The Hacker News detailing that 380,000 hosts are embedding a polyfill script linking to the malicious domain.

Big name brands impacted by this attack include, but are not limited to, WarnerBros, Hulu, Mercedes-Benz, and Pearson.

Polyfill offered widely used fragments of code for older or outdated browsers that allowed the use of modern Javascript features. These fragments serve the purpose of easing the workload of developers and permitting compatibility with a broader range of browsers. However, because the malicious code was inserted into these fragments, web users utilizing an infected website could unwittingly implement the malware in their browser.

Security professionals have found that the malicious code used generates payloads that differ based on HTTP headers, which, in turn, grant greater obfuscation by activating only on specific devices, delaying execution, and avoiding admin users–making detection more difficult. 

The development has since prompted domain registrar Namecheap to suspend the domain, content delivery networks such as Cloudflare to automatically replace Polyfill links with domains leading to alternative safe mirror sites, and Google to block ads for sites embedding the domain.

This news comes alongside WordPress security company Patchstack warning of further risks posed by the Polyfill supply chain attack on sites running the content management system (CMS) through dozens of legitimate plugins that link to the rogue domain.

Security Professionals Are Reporting a New Botnet Capable of Sophisticated DDoS Attacks

Cybersecurity researchers have uncovered a new botnet called Zergeca that's capable of conducting distributed denial-of-service (DDoS) attacks.

There is evidence to suggest that the malware is actively developing and updating the malware to support new commands. Based on the C2 IP address, 84.54.51[.]82, it is said that Zergeca has been previously used to distribute the Mirai botnet around September 2023.

Furthermore, as of April 29th, the same IP address began to be used as a C2 server for the new botnet, raising the possibility that the threat actors "accumulated experience operating the Mirai botnets before creating Zergeca."

Attacks mounted by the botnet–namely ACK flood DDoS attacks–have targeted Canada, Germany, and the U.S. between early and mid-June 2024.

Zergeca's features span four distinct modules: persistence, proxy, silivaccine, and zombie. Each adds a system service, implementing proxying, removing competing miner and backdoor malware and gaining exclusive control over devices running the x86-64 CPU architecture, and handles the main botnet functionality.

Operations Restored to Co-Ops Across Western Canada After Widespread Cyberattack

As of July 4th, all 398 Co-op cardlock fuel stations across western Canada have returned to full operation and can once again service customers–signaling an end to the widespread disruptions first triggered by a cybersecurity incident the week prior.

“Our team has been working around the clock to recover our cardlock network and we want to thank Co-op cardlock customers for their patience and understanding throughout this process,” Federated Co-operatives Limited said in a statement.

Co-op’s cardlock stations are used by transport trucks,--among other large or corporate vehicles–and are separate from the co-operative’s regular retail pumps. They provide members with 24-hour self-serve access to fuel pumps

Saskatoon-based company FCL announced on June 28 that it was grappling with a cybersecurity incident that was affecting internal systems, local retail Co-ops and cardlock fuel locations. It led the company to shut down some of its systems and investigate.

This past Wednesday, FCL said in a statement that it was working to get more cardlocks back in service every day, and that enabling the remainder to be back online was the topmost priority alongside restocking key grocery items and consumer goods for delivery. 

In 2024, the connection between cybersecurity and reputation management has never been stronger. In our increasingly digital age, the way a brand identifies (and manages) itself determines how the public views its reputation... and that reputation heavily influences an organization's long-term success.

With cyberattacks like this week’s continuing to escalate year over year, the best offense is a proactive defense. Security professionals recommend taking the following steps to evaluate potential cybersecurity threats, and, in turn, work to mitigate both reputational and operational damages:

• Identify potential risks through the customer lens. Always consider your customer’s perspective when identifying the reputational impact of potential breaches. Why do customers trust your company? What would they consider an unforgivable breach of this trust? Before a crisis, your management teams should think through potential issues. This will ensure future risks are identified before they happen
• Prioritize reputational risk as a business strategy. It’s difficult for IT leaders to determine the appropriate places to spend their limited budget. A reputational risk management strategy is important for your business. Implementing a strategic plan that anticipates reputational impacts rather than just being reactive to a damaging event will serve your business best
• Encourage departmental cooperation. One of the biggest problems in an organization is the inability to share important knowledge across various departments. Organizational silos are barriers to change and communication. They make it hard to collaborate when critical problems arise. Encouraging collaboration will improve interdepartmental communication, making it easier to identify and tackle threats
• Establish a risk governance structure. The executive team has an important role not only in supporting a strategy but in doing damage control. When formulating a crisis management strategy, your organization should collaboratively work to choose leaders across all business units. The most effective way to manage misinformation is to allocate individuals who are the only people authorized to serve as the company's voice in times of crisis
• Formalize and practice. After you formalize the essential aspects of your crisis plan - like how to mobilize a response, make decisions, and what information to communicate- it's time to practice. Rehearse a few critical reputational risks to see how they play out. Make sure all major players know their responsibilities in case of a reputation-damaging cybersecurity incident

What are your thoughts on this week’s cyber incidents?