On July 15th, US-based microblogging and social networking service, Twitter, disclosed a security incident whose full impact has yet to be determined. According to court documents, the attack started around May 3rd and was only discovered in July when accounts belonging to well-known public figures and executives like Jeff Bezos, Bill Gates, Warren Buffet, President Barack Obama, and Joe Biden were used as part of scheme to extort bitcoins from their followers, which netted more than $117,000. However, the tactics, techniques, and procedures (TTPs) used in the Twitter attack were not much different than in the majority of other data breaches and serve as valuable lessons for designing a modern cyber defense strategy.
Twitter is one of the most-popular social media platforms in the world and is used by more than 145 million people daily. Users can follow other users, with tweets from those they have chosen to follow appearing in their feed. They can make their own tweets private, which only appear to their followers. Public posts are searchable and viewable by anyone, even without an account. Users can reply directly to posts, and also have the option to send private messages.
Modus Operandi
The easiest way for a cyber-attacker to gain access to sensitive data is by compromising an end user’s identity and credentials. Things get even worse if a stolen identity belongs to a privileged user, who has even broader access, and therefore provides the intruder with “the keys to the kingdom”. By leveraging a “trusted” identity a hacker can operate undetected and exfiltrate sensitive data sets without raising any red flags. As a result, it’s not surprising that most of today’s cyber-attacks are front ended by phishing campaigns. In fact, nearly one third of all breaches in the past year involved phishing, according to the 2020 Verizon Data Breach Investigations Report. The initial phase of compromise is typically followed by and exploration phase and the exfiltration of sensitive data, which includes covering up tracks and potentially creating a backdoor for future attacks.
In the Twitter breach, the attackers leveraged social engineering tactics to target a small number of employees through a phone spear phishing attack. Subsequently, the attackers obtained access to both Twitter’s internal network, as well as specific employee credentials that granted them access to internal support tools. Not all of the employees that were initially targeted had permissions to use account management tools, but the attackers used their credentials to access Twitter’s internal systems and gain information about the company’s processes.
These exploratory efforts are very common for the anatomy of a hack, whereby reconnaissance is carried out to identify regular IT schedules, seacurity measures, network traffic flows, and scan the entire IT environment to gain an accurate picture of the network resources, privileged accounts, and services. Domain controllers, Active Directory, and servers are prime reconnaissance targets to hunt for additional privileged credentials and privileged access.
In Twitter’s case, the intelligence gained by the attackers enabled them to target additional employees who did have access to the Twitter account support tool, which allows privileged employees to control all facets of a Twitter account. Using the credentials of employees with access to these tools, the attackers targeted 130 user accounts. For 45 of those accounts, the attackers were able to initiate a password reset, login to the account, and post fraudulent Tweets promoting a COVID-19 cryptocurrency scam. These posts exposed the intrusion for the first time to Twitter’s security staff. The attackers also accessed the Direct Message inbox of 36 accounts and downloaded the Twitter Data (e.g., direct messages, including photos and videos; contacts; physical location history; as well as interest and demographic information) of up to eight accounts.
Lessons Learned
The “CryptoForHealth” Twitter Hack is the latest reminder that security professionals need to closely align their cyber defense strategies with the TTPs being leveraged by their cyber adversaries and apply multiple layers of security controls to minimize the risk of both external and insider threats. Best practices for preventing inappropriate access to an organization’s internal systems include:
• Avoid Taking the Phishing Bait
User education is an essential first step that can minimize the risks associated with phishing and subsequent cyber-attacks aimed at data exfiltration. In addition, organizations should implement spam filters and secure email gateways as a security baseline.
• Step Up Multi-Factor Authentication
Multi-factor authentication (MFA) remains the most reliable option for augmenting an organization’s existing access controls. Based on studies conducted by Microsoft, an account is more than 99.9% less likely to be compromised if using MFA. Replacing and/or supplementing username and password authentication with MFA significantly raises the bar and costs for carrying out cyber-attacks.
• Enforce Least Privilege
For superusers and IT admins, least privilege access based on just enough, just-in-time privileged access management (JIT PAM) is a best practice. The concept of least privilege, whereby IT admins are only provided the needed level of access to perform a certain task for the amount of time necessary to perform it, is an antidote for many security threats. This should be paired with implementing access request and approval workflows that govern privilege elevation to capture who approved access and the context associated with the request.
• Leverage User Behavior Analytics
Today’s economic climate exacerbates insider threats, as pending furloughs or pay cuts may tempt employees to exfiltrate data to secure a new job, make up for income losses, etc. In turn, organizations should consider deploying user behavior analytics to discover early indicators of insider threats.
Ultimately, the Twitter hack illustrates the importance of defending against credential-based attacks that are responsible for the majority of today’s data breaches. This can be done by implementing an identity-centric approach to security based on Zero Trust principles, that allows organizations to stay ahead of the security curve.
