CybserSecurity News

Tag: Twilio

  • Twilio Security Scanner: Audit and Harden Your Twilio Configs in Seconds

    Twilio Security Scanner

    A security scanning tool for Twilio accounts that helps detect misconfigurations and security risks, including:

    • Public serverless functions and assets
    • Unencrypted HTTP webhooks in phone numbers and messaging services
    • API keys older than 90 days

    This tool is useful for DevOps, Security Engineers, and compliance teams looking to audit their Twilio configurations for security best practices.

    Output

    The scanner checks for several security concerns:

    Serverless Functions and Assets

    • Lists all public functions and assets
    • Outputs URLs and paths for each public endpoint
    • Saves findings to CSV if specified with -o flag

    Webhook Security

    • Identifies phone numbers using unencrypted HTTP webhooks
    • Checks messaging services for unencrypted HTTP URLs
    • Reports both primary and fallback URLs using HTTP

    API Key Age

    • Identifies API keys older than 90 days
    • Reports key names for rotation

    Trusted Apps

    • Lists all trusted connect applications
    • Shows count of connected applications

    CSV Output

    When using the -o flag, the scanner will save public serverless findings to a CSV file with:

    • Type (Function/Asset)
    • URL
    • Path
    • SID
    • Service Name – The friendly name of the Twilio service containing this function/asset
    • Service SID – The unique identifier of the service

    Remediation Steps

    Public Functions and Assets

    If the scanner finds public functions or assets, you can:

    1. Locate the function/asset in the Twilio Console using the provided service name
    2. Navigate to: Console → Functions and Assets → Services → [Service Name]
    3. Review the function/asset visibility settings
    4. Change visibility from “Public” to “Protected” if the endpoint should not be publicly accessible
    5. Consider implementing authentication for endpoints that need controlled access

    Note: Making a function/asset protected will require valid Twilio credentials to access it.

    Note about Deployment State: Functions and assets can exist in two states:

    • Saved but not deployed: Even if marked as “public”, they are not accessible until deployed
    • Deployed: Will be publicly accessible if marked as “public”

    Unencrypted HTTP Webhooks

    For webhooks using HTTP instead of HTTPS:

    1. Update all webhook URLs to use HTTPS
    2. Ensure your webhook endpoints support HTTPS
    3. Update both primary and fallback URLs

    Old API Keys

    For API keys older than 90 days:

    1. Create new replacement API keys
    2. Update applications to use the new keys
    3. Revoke the old keys after confirming all systems are working

    Install & Use

  • FBI and CISA Report: Persistent Threats of Androxgh0st Malware

    Malicious actors exploit vulnerabilities, known for several years, to deploy the Androxgh0st malware and create a botnet aimed at stealing cloud-based credentials. This has been reported by the Federal Bureau of Investigation (FBI) and the Cybersecurity and Infrastructure Security Agency (CISA) of the United States.

    In a joint warning issued on January 16, the agencies stated that the Python-based malware primarily targets “.env” files containing credentials for AWS, Microsoft Office 365, SendGrid, and Twilio.

    Beyond scanning and exploiting stolen credentials, Androxgh0st can also be used for deploying web shells, executing remote code, pilfering sensitive data, and creating new users and AWS instances.

    For instance, in the event of a successful compromise of AWS credentials on a vulnerable website, malefactors attempt to create new users and user policies. Operators of Androxgh0st have been observed creating new AWS instances to conduct additional scans.

    ShadowHammer supply-chain attack

    The perpetrators behind the distribution of Androxgh0st favor three old vulnerabilities, for which patches have long been released: CVE-2017-9841 (a command injection vulnerability in PHPUnit), CVE-2018-15133 (an insecure deserialization vulnerability in the Laravel web application leading to remote code execution), and CVE-2021-41773 (a path traversal vulnerability in Apache HTTP Server, also leading to remote code execution).

    CVE-2017-9841 allows remote execution of PHP code through a malicious HTTP POST request and downloading files onto the system hosting the compromised website. Malefactors can install a deceptive page to establish a “backdoor” to the site, enabling them to download additional malicious files and gain access to databases.

    The malware also scans Laravel websites whose “.env” files are accessible, sending GET or POST requests to steal credentials and tokens.

    The third method, exploiting a vulnerability in Apache HTTP Server versions 2.4.49 or 2.4.50, allows path traversal attacks. Malefactors scan URLs that are not protected by the “Request all denied” configuration and lack Common Gateway Interface (CGI) scripts, facilitating remote code execution attacks.

    In the security alert published by the agencies, a list of indicators of Androxgh0st compromise is also provided. The FBI and CISA suggest several measures to mitigate the risk of infection.

    One tactic is to ensure that Apache servers do not use vulnerable versions 2.4.49 or 2.4.50. It’s also crucial to verify that the default configuration for all URLs prohibits any requests unless there are legitimate reasons for access.

    Furthermore, it’s recommended to regularly review platforms and services listing credentials in “.env” files, checking for unauthorized usage.

    Lastly, as always, timely updating of operating systems, device firmware, and other software is recommended. However, as can be noted from the exploitation of well-known vulnerabilities, few apply this advice in practice.