If you aren’t familiar with Twilio, it is a communication service company that uses a cloud-based platform to allow developers to communicate via their APIs. Users can programmatically make calls, send tests and support other messaging applications. In recent years, Twilio has been in the news for its enormous growth and profits that has seen stock prices grow by 160% in 2020 alone. On July 19th, 2020, the company was once again in the news, but for completely different reasons. A security breach revealed a common vulnerability that continues to plague IaC users and had the company scrambling to save face and data.
Early on July 19th, it became clear that a Magecart style attack had been launched on the company software. This type of cyberattack has become increasingly popular among malicious actors as they realize that Infrastructure as Code misconfigurations create gaps in security that can be used to insert scanning code that tries to capture users’ financial information. Essentially, hackers have discovered that many companies don’t provide adequate protections for AWS S3 buckets and they are targeting these areas.
IaC and Misconfiguration
Amazon Web Services does protect S3 buckets, but IaC misconfiguration often creates vulnerabilities. Many companies use the S3 bucket to store sensitive data and misconfiguration can make this private information public to the people who know how to get to it. In the case of Twilio, the hackers used the Magecart style attack and were able to gain access to the S3 bucket. Fortunately, Twilio doesn’t store data there but the software code was accessible and the hackers could have released malware and changed the code.
While Twilio was able to identify the breach and clean up the code before there was any damage, the incident is just another reminder about the importance of avoiding misconfiguration when it comes to IaC. According to Twilio, the attack was designed to serve malicious ads to mobile phone users. If it would have been a successful attack, there wouldn’t have been any major damage except to the company’s reputation. In response to the incident, the company is planning to improve monitoring in order to respond quickly to breaches.
Lessons from the Twilio Breach
The Twilio breach is another reminder that no matter how advanced and automated IaC and cloud technology becomes, it is still fundamentally a human system and that means that mistakes can be made. In addition, it shows that businesses have to be more careful even when it comes to open-source collaboration. Some assets should be publicly accessible so that users can view and create files, but there need to be authentication and access gateways for other assets. Ultimately, the company did the best they could in the situation. You can’t prevent attacks, but you can create systems that will quickly identify problems so that you can immediately respond. Twilio also received praise from industry experts for being transparent about the incident and how they responded. This helps others to learn and hopefully avoid similar situations.
Ultimately, IaC is a valuable tool that represents a major evolution in technology. However, it is not a perfect system. Misconfiguration continues to be a top security concern. If you need help improving IaC security and ensuring continuous compliance, contact prancer. We specialize in cloud validation frameworks that will help you make the most of IaC and cloud technology.