Twilio exposes SDK, attackers inject it with malvertising code

Twilio today disclosed that its TaskRouter JS SDK was compromised by attackers after they gained access to one of its misconfigured Amazon AWS S3 buckets which left the SDK’s path publicly readable and writable for roughly five years, since 2015.

Twilio is a cloud communications platform as a service (CPaaS) company that powers communications for over 40,000 businesses and helps developers add voice, video, messaging, and authentication capabilities to their apps using Twilio’s web service APIs.

The company’s customer list includes Twitter, Netflix, Uber, Shopify, Morgan Stanley, Airbnb, Wix, Spotify, Yelp, Hulu, Intuit, ING, eBay, and countless others.

According to an incident report published by Twilio today, the attackers injected the malicious code only within version 1.20 of the TaskRouter JS SDK library used by customers to route tasks to agents or processes via the Twilio TaskRouter attribute-based routing engine.

“Due to a misconfiguration in the S3 bucket that was hosting the library, a bad actor was able to inject code that made the user’s browser load an extraneous URL that has been associated with the Magecart group of attacks,” Twilio said.

Malicious SDK served for at least 24 hours

The company says that its security and product teams replaced the malicious TaskRouter JS SDK library and secured the S3 bucket within an hour after initially being alerted of the attack.

On Sunday July 19th, we became aware of a modification that had been made to a Javascript library that we host for our customers to include in their applications. A modified version of the TaskRouter JS SDK was uploaded to our site at 1:12 PM PDT (UTC-07:00). We received an alert about the modified file at approximately 9:20 PM PDT and replaced it on our site around 10:30 PM PDT. – Twilio

As Twilio explained, the altered TaskRouter JS SDK library may have been available through user browsers or via the company’s CDN for up to another 24 hours after being replaced.

Twilio says that it has found no evidence so far of the attackers gaining access to any customer information or data. The attackers were also not able to access any of Twilio’s internal systems, code, or data.

After the initial remediation and an audit of its other AWS S3 buckets, the company also found other unsecured buckets after an audit but says that no other hosted SDKs have been impacted in the incident.

Also during the incident review, the company discovered the path that hosted the TaskRouter JS SDK was left configured with public write access for almost five years.

During our incident review, we identified that this path was not initially configured with public write access when it was added in 2015. We implemented a change 5 months later while troubleshooting a problem with one of our build systems and the permissions on that path were not properly reset once the issue had been fixed. – Twilio

Twilio said, that “while Twilio Flex uses TaskRouter to provide routing of interactions to agents, Flex customers were not impacted by this issue. Twilio Flex uses a different SDK for TaskRouter, does not load it from the public site, and bundles it as part of a single JS file for flex-ui.”

However, the company also urged customers to replace the impacted SDK immediately if they downloaded it while it was compromised.

If you downloaded a copy of v1.20 of the TaskRouter JS SDK between July 19th, 2020 1:12 PM and July 20th, 10:30 PM PDT (UTC-07:00), you should re-download the SDK immediately and replace the old version with the one we currently serve. – Twilio

The Magecart connection

As Twilio discovered while analyzing the JavaScript code injected by the attackers, the code is actually a malicious traffic redirector — tracked by RiskIQ as jqueryapi1oad — and is connected to a long-running advertising campaign known as Hookads.

Hookads uses JavaScript redirectors to redirect website visitors through a series of decoy sites looking like online ads and online games with the end goal of installing malware payload using exploit kits.

jqueryapi1oad is connected to 671 unique domains, “including a domain in the top 1,500 of Alexa rankings,” as RiskIQ threat researcher Jordan Herman told BleepingComputer. “We’ve detected 173 newly affected domains since the start of the month.”

Herman also said that the Twilio compromise is yet another instance of unsecured Amazon S3 buckets used as an attack vector.

“Because of how easy they are to find and the level of access it grants attackers, we’re seeing attacks like this happening at an alarming rate.”

Twilio found that the malicious code injected in the TaskRouter JS SDK library loads an URL from gold.platinumus[.]top/track/awswrite and then redirects to other sites, blocking the use of the browser’s back button, attempting to collect data related to mobile devices all along the way.

“This script also specifically attempts to gather data about the size of the user’s touchscreen and uses events that are targeted at mobile devices,” Twilio said.

“This behavior, along with the indicators, are consistent with a malvertising campaign associated with the Magecart group of attacks targeted at users of mobile devices.

“We believe that the attack was designed to serve malicious advertising to users on mobile devices.”

Update: Added additional jqueryapi1oad info from Jordan Herman.


Next Post

Sharks ‘functionally extinct’ from one in five coral reefs | Science

Thu Jul 23 , 2020
By Erik StokstadJul. 22, 2020 , 11:10 AM Sharks are missing from 19% of the world’s coral reefs, the greatest decline of reef sharks ever recorded, according to a new analysis. The study suggests overfishing, driven largely by dense human populations and poor governance, has made the ocean’s top predators […]