Several high-profile Twitter accounts were targeted recently in an attack that involved the hackers accessing internal Twitter systems and tools.
Twitter said the attackers targeted roughly 130 accounts. The hackers used the hijacked accounts to post tweets that attempted to convince their followers to send bitcoin to a specified address. Hundreds of people fell for it and sent over $100,000 in bitcoin to the scammers.
Twitter has only shared limited technical information about the attack, but some victims say the attackers hijacked their accounts by changing the associated email address and initiating the password reset process. Since the targeted accounts were now linked to the hackers’ email address, they could change the victim’s password and disable any security measures.
The attackers, which allegedly had help from a Twitter employee, may be involved in SIM swapping schemes. Some of these individuals claimed just days before the Twitter hack that they could change the email address on any account.
Industry professionals have commented on various aspects of this breach, including why it was possible, how it could have been prevented, and its potential impact.
And the feedback begins…
Mikko Hyppönen, chief research officer, F-Secure:
“This was the biggest security breach in Twitter’s history, but ordinary users were not affected by it at all – unless they fell for the scams posted by the hacked celebrities.
The way this hack was done also means that there’s nothing any users could have done to prevent it from happening.
[…]
In the end; this could have been much worse. Twitter is big and important people have large amounts of followers there – but even Snapchat and Reddit have more users than Twitter. The real gorillas in social media are Instagram, YouTube and Facebook.
And the attack could have done far worse things than try to scam Bitcoins out of people; the attackers had access to everything. They could have done anything on Twitter. They could have started tweeting weird things in the names of the U.S. Presidential candidates during the voting this November, for example.”
Melody J. Kaufman, cyber security specialist, Saviynt:
“I don’t think this was entirely a bitcoin scam but instead a proof of concept in which bitcoins were just a side venture. I think the ultimate goal was to prove that high profile accounts are vulnerable and can be subverted to message on behalf of others. The bitcoin angle serves as a good cover for real motive as it seems to the onlooker that the attackers have gotten what they wanted.
There are many reasons hackers would want to compromise high-profile social media accounts. Influence has become a form of currency with which a lot of things can be bought. Given that we’ve already seen the way social media can be used to influence popular opinion and given that this is an election year. It seems to me that once you have a proof-of-concept that these verified accounts can be hacked there are two easy logical leaps. One is to damage the credibility of Twitter’s system which allows the shadow of doubt to be cast on legitimate statements by high-profile individuals. The other possibility is to potentially compromise such accounts in the future and disseminate altered messaging in more subtle ways to leverage their influence to impact state and national issues.
The key vulnerabilities of Twitter that were exposed come down to challenges in trusting internal users and validating identities of external parties. From what we are seeing, the attack was either initiated through an internal user or using their credentials. If this administrative system that allows access to these high profile accounts was more tightly secured with better controls such as a second user signoff on tasks related to “verified” users, much the way many accounting systems operate, this attack would either have been stopped early or blocked altogether.”
Costin Raiu, Director of GReAT, Kaspersky:
“The attack that happened yesterday is possibly one of the worst security incidents at Twitter, if not the worst. We have seen compromises of high profile accounts in the past, which were used to post cryptocurrency-related scams, but they pale in comparison to this one. For instance, @Jack was hacked in 2019 through SIM-swap attacks, and president Trump’s account was deleted by a Twitter employee. Yet, the scope of the current attack is much larger, affecting many top accounts, with hundreds of millions of followers combined.
It appears that the incident was a one-shot event, in which a certain type of access was leveraged to facilitate a quick, illicit scheme for financial profit. For now, we do not know who was behind it, however, the cryptocurrency-related scam would suggest a criminal group, driven by financial profit. A nation state would instead use their access to collect private information, such as DMs from persons of interest, rather than high ranking company accounts.
At this point, a thorough, detailed investigation, made public in the form of a report, would be essential for regaining user trust. An explanation of the breach, step by step, what tricks the attackers used and the vulnerabilities (if any) they exploited, are needed. Some of the information posted by Twitter Support indicates that their employees have been targeted in a social engineering scheme; it’s hard to fathom that Twitter employees wouldn’t have their own access protected by 2FA, so this raises questions about how it would be possible for a social engineering attack to succeed. Last but not least, what steps have been taken in order to secure the platform against future abuses would be essential to regain user confidence. I believe that Twitter will work hard to close any security gaps that might have been used, making similar attacks really hard, if not impossible, to execute in the future.”
Kelvin Coleman, Executive Director, National Cybersecurity Alliance (NCSA):
“As we initially speculated, the latest findings behind the recent Twitter breach all point to an employee’s – allegedly implicit – role in a coordinated social engineering attack that took advantage of a compromised set of credentials to facilitate a breach of this size and scale. Given the ‘insider’ nature of the incident, this attack speaks to a larger issue around the collective concept of people, process and technology.
Although Twitter likely has a robust internal security team to monitor the platform across devices, and actively promotes the use of stronger passwords and 2FA, the human element continues to be the most unpredictable factor contributing to these types of situations. It’s hard to predict and mitigate how people will factor into potential breaches, but this should nonetheless be a learning experience for other platforms and tech companies to encourage them to review and enforce an effective incident response plan moving forward.”
Antti Tuomi, principal security consultant, F-Secure:
“The attackers were not after the billionaires themselves, but rather using their reputation and authority as a platform to make the scam seem more believable, and to reach as wide an audience as possible.
The basic psychological toolkit used by scammers and phishing campaigns uses three main methods to lure the victim into falling for a scam: stress tactics (such as creating a sense of urgency); honeypot tactics (which play on the target’s desires and curiosity); and cloaking tactics to make the scam seem to come from a believable and trustworthy party. These tactics help disarm the victim and make it more likely for them to act without considering whether the chance is indeed too good to be true.
In this case, using a respected and trusted figure’s official Twitter account for the visibility and seeming trustworthiness (cloaking tactics), and the desirability of an instant monetary gain (desirability), and potentially the looming distress with COVID-19 and personal finances (stress tactics) makes for a potentially successful campaign.”
Battista Cagnoni, Senior Consultant, Advisory Services, Vectra:
“Rogue insider or duped employee aside the illegitimate use of administration tools by legitimate users is challenging to detect, which is why privileged access remains a critical attack vector in so many breaches. This high-profile attack on one of the world’s largest social media platforms looks to have limited success in terms of financial gain, but for obvious reasons, it has had significant impact in terms of visibility and the potential to damage brand reputation. Over the next few hours and days, incident responders will be working hard to scope out the totality of the compromise and looking for any evidence of remote orchestration in case the attackers have been able to penetrate and gain persistence inside Twitter’s systems.”
Anthony Grenga, VP of Cyber Operations, IronNet:
“Even the most sophisticated technologists, like those at Twitter, often overlook the human component of cybersecurity. If you take a closer look, you’ll find that this attack resembles the AWS breach that occurred back in 2019 by Paige Thompson. Although that was an actual manipulation and exploit of AWS services it was conducted because of unique knowledge of AWS in conjunction with opportunity. Similarly here Twitter employees had the ability to “take over” accounts using an admin panel. These two scenarios represent one of the major concerns for the cyber security landscape of the future.
Specific knowledge or access that can only be gained while working for a corporation creates a layer of extreme threats. Even though an insider may not have malicious intentions, opportunity (bribes, layoffs, conflict of opinions) may tip the scales. In this case, it is likely the scammers that were passed the admin panel access were coming from a range that had previously never hit said panel before. Therefore the only way to detect this would be using some type of access logs and behavioral analysis. Additionally, there has been speculation on if the attackers data dumped DMS and other private info.
However, the larger issue as I see it is that Twitter had an administration panel providing immense access to Twitter accounts accessible via the internet. Access to this panel should have been IP restricted to known IP addresses, and monitored. This points directly to the need for improved behavioral analytics, specifically data exfiltration analytics, such as extreme rates that measure changes and acceleration of traffic from individual hosts and unusual day reporting to show when users are taking action at times they aren’t typically online.”
