Attackers Hunting For Twilio Credentials
One up and coming request I recently noticed in our honeypots was pretty simple:
GET /twilio.env HTTP/1.1
Host: [redacted]
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:77.0) Gecko/20100101 Firefox/77.0
Accept-Encoding: gzip, deflate
Accept: */*
Connection: keep-alive
Twilio is a popular service used to send/receive SMS messages and phone calls [1]. They offer a simple API and integration is very easy. To authenticate to the API, requests need to include an "Account SID" and "Auth Token". Like in many similar APIs, each request includes these credentials.
Twilio's documentation suggests to store these credentials in environment variables and use a .env file to initialize the variables [2].
It’s important to keep credentials such as your Twilio Account SID and Auth token secure by storing them in a way that prevents unauthorized access. One common method is to store them in environment variables which are then accessed from your app. This keeps them out of code and other places where credentials don’t belong. Let’s take a look at how to work with environment variables with a variety of operating systems and languages.
Using environment variables to store credentials is common practice and not the worst way to store this kind of data. A secure credential wallet/management system is of course preferred, but Twilio's advice makes sense in that it is language agnostic and not limited to a particular solution a developer may have selected.
But the location of the .env file matters. Files like this should NEVER be placed inside the Web Root / Document Root of a website. Instead, they should be placed outside in a location not directly accessible by a browser. In addition, direct access to these files should be blocked by the webserver. The webserver will likely need read permissions to access the file, but the file should be blocked from being delivered to the user unparsed.
twilio.env isn't the only .env file that attackers are looking for. The particular attacker is also looking for:
GET /.env.dev
GET /.env.prod
GET /.env.stage
In Apache, you may use the following Files directive to block access to ".env*' files:
<FilesMatch "\.env">.
Order allow,deny
Deny from all
</Files>
Or nginx:
location ~ /\.env {
deny all;
}
In the past, I sometimes blocked access to all files starting with ".", but be careful to allow access to .well-known for the Let's Encrypt ACME protocol.
[1] Twilio.com
[2] https://www.twilio.com/docs/usage/secure-credentials
---
Johannes B. Ullrich, Ph.D. , Dean of Research, SANS.edu
Twitter|
Comments
Anonymous
Dec 3rd 2022
9 months ago
Anonymous
Dec 3rd 2022
9 months ago
<a hreaf="https://technolytical.com/">the social network</a> is described as follows because they respect your privacy and keep your data secure. The social networks are not interested in collecting data about you. They don't care about what you're doing, or what you like. They don't want to know who you talk to, or where you go.
<a hreaf="https://technolytical.com/">the social network</a> is not interested in collecting data about you. They don't care about what you're doing, or what you like. They don't want to know who you talk to, or where you go. The social networks only collect the minimum amount of information required for the service that they provide. Your personal information is kept private, and is never shared with other companies without your permission
Anonymous
Dec 26th 2022
9 months ago
Anonymous
Dec 26th 2022
9 months ago
<a hreaf="https://defineprogramming.com/the-public-bathroom-near-me-find-nearest-public-toilet/"> nearest public toilet to me</a>
<a hreaf="https://defineprogramming.com/the-public-bathroom-near-me-find-nearest-public-toilet/"> public bathroom near me</a>
Anonymous
Dec 26th 2022
9 months ago
<a hreaf="https://defineprogramming.com/the-public-bathroom-near-me-find-nearest-public-toilet/"> nearest public toilet to me</a>
<a hreaf="https://defineprogramming.com/the-public-bathroom-near-me-find-nearest-public-toilet/"> public bathroom near me</a>
Anonymous
Dec 26th 2022
9 months ago
Anonymous
Dec 26th 2022
9 months ago
https://defineprogramming.com/
Dec 26th 2022
9 months ago
distribute malware. Even if the URL listed on the ad shows a legitimate website, subsequent ad traffic can easily lead to a fake page. Different types of malware are distributed in this manner. I've seen IcedID (Bokbot), Gozi/ISFB, and various information stealers distributed through fake software websites that were provided through Google ad traffic. I submitted malicious files from this example to VirusTotal and found a low rate of detection, with some files not showing as malware at all. Additionally, domains associated with this infection frequently change. That might make it hard to detect.
https://clickercounter.org/
https://defineprogramming.com/
Dec 26th 2022
9 months ago
rthrth
Jan 2nd 2023
8 months ago