Cloud communications company Twilio says an attacker cloned some of its GitHub repositories and stole customer emails — in the latest fallout from a software supply chain attack on code analysis firm Codecov.
Twilio joins cloud infrastructure provider Hashicorp in admitting to exposure as a result of its use of Codecov tools, which were maliciously modified by an attacker in January, before being spotted in April.
(nb: Hundreds of other companies are also understood to be affected by the incident. Twilio and Hashicorp are just choosing the admirable route of being particularly transparent about the impact on them of the incident.)
The incident comes after Codecov on April 25 admitted that it had leaked credentials that let an attacker modify its Bash Uploader script. They used this to change code in Bash Uploader — which lets users detect their code environment, gather reports, and upload them to Codecov. This gave the attacker the ability to harvest data on Codecov users’ code environments and send it to a “third-party server outside of Codecov’s infrastructure.”
Codecov claims to have over 30,000 enterprise customers.
Twilio: Codecov breach saw emails stolen
Twilio said April 4 that it had been tipped off by GitHub after a Twilio user token was exposed.
GitHub told it “suspicious activity had been detected related to the Codecov event and a Twilio user token… had been exposed. GitHub.com had identified a set of GitHub repositories that had been cloned by the attacker in the time before we were notified by Codecov… We wanted to be certain that we covered any potential exposures, so we conducted a deep-dive review of our repositories. In one of them, we found a small number of email addresses belonging to Twilio customers. At this time, we have no evidence that any other customer information was accessed and no indication that any of our repositories were modified by the attacker.
“Further, we performed automated scanning to detect secrets in our repositories and manual reviews to verify findings. This resulted in rotating all secrets contained in possibly exposed repos.”
In detailed post Twilio outlined its existing security practices, including its use of a “robust third party security team that evaluates both new and existing vendors” and an “active internal service, called Deadshot, that scans GitHub pull requests. The service scans pull requests in real time to identify secrets and other common insecure coding practices in code being merged to GitHub. If Deadshot finds insecure code, it notifies the user doing the pull request and notifies our Product Security team when a specific type of secret is found. This allows developers to go back and delete or change their code before merging it to GitHub.”
Twilio — which has over 200,000 active customer accounts — concluded: “We have no indication that any customer data, beyond the small number of email addresses, was accessed or is at risk. We also do not have or foresee any issues with the availability or functionality of any Twilio products.”
Hashicorp has also admitted impact.
Cloud infrastructure firm Hashicorp on April 22 also admitted what has appears to have been much more limited impact, saying the GPG private key used for signing hashes used to validate HashiCorp product downloads was exposed, but its nvestigation has not revealed evidence of unauthorised usage of the exposed GPG key.
The company rotated keys anyhow in order to maintain a trusted signing mechanism. The company said somewhat more vaguely that it had “performed additional remediations related to information potentially exposed during this incident.”
“Incident response activities are ongoing, and relevant updates and outcomes will be shared promptly when available,” Hashicorp said.
A September 2020 report by security services firm BlueVoyant found that 82% of UK organisations surveyed had experienced a cybersecurity breach that originated from vulnerabilities in their vendor ecosystem in the past 12 months, and the average respondent’s organisation had been breached in this way 2.6 times.
The research also found organisations are experiencing multiple pain points across their cyber risk management program as they aim to mitigate risk across a network that typically encompasses over 1,000 vendors. Troublingly, the survey — based on responses from 1,500+ CIOs, CISOs, and CPOs — found 34% said they have “no way of knowing” if cyber risk emerges in a third-party vendor.