Twitter’s embarrassing admission that its employees were inadvertently responsible for the take-over of celebrity accounts Wednesday and used to spread a Bitcoin scam after falling for a social engineering attack has again highlighted the need for organizations to boost protection for staff with administrative access, say experts.
“This will highlight the need for most companies to protect administrative access to accounts,” Avivah Litan, a Gartner analyst who specializes in authentication and access management, said in an interview this morning. “It’s always a wake-up call when these things happen.”
The incident is another example, she said, that “human beings are always the weakest link in any system.”
Organizations “really need to put more controls around their insiders. No one should be able to do anything [sensitive] without at least dual sign-off and sometimes triple sign-off, depending on the function. I’m guessing the hackers were able to get credentials into some sensitive systems to take over these high-profile accounts. They either got a password or were able to put malware on the desktop and conduct a man-in-the-browser attack after the user authenticated. All these attacks become much harder when you have to have two people perform any function. And it’s even more difficult when you have three people.
“I’ve seen attacks that beat dual sign-offs. For example, let’s say the put malware on the employee’s desktop and the employee has to put a one-time password in to get into the system the malware just waits for the one-time password to be entered into the system. If they have to do that to two employee desktops it’s much more difficult to co-ordinate, but I’ve seen it done years ago. So they should have triple sign off on critical functions.”
Perhaps biometrics are needed on all sensitive transactions, she added. “It comes down to validating access to the system with much stronger security controls. And they do impose a lot of inconvenience on the users, but that’s the price you have to pay when you’re dealing with critical systems. And Twitter is a critical system now.”
This was a well-planned attack, noted Dave Masson, director of enterprise security for Darktrace, with elements of automation because the same Tweet was sent out at the same time from many accounts. “In some ways, it’s not a surprise that the attackers, whoever they were, were able to carry out a coordinated campaign against Twitter employees. Humans remain the weakest link in security. With employees working remotely, many are more vulnerable than ever to spear-phishing campaigns and other attacks.
“It’s also important to note that Twitter has been a victim of breaches in the past linked to employees. In 2017, an employee at the company used their access to Twitter’s systems to briefly delete President Trump’s Twitter account. It’s critical that businesses monitor employee activity closely and can detect these sort of compromises, whether stemming from a malicious or non-malicious employee before access is gained or damage is done.”
Never give up on user awareness,” advised Paul Ducklin, principal research scientist at Sophos. “It’s become trendy to say, ‘Users will never learn, so let’s make technology do all the work.'” But most employees genuinely want to get cybersecurity right, and with regular encouragement, you can make everyone in the organization the eyes and ears of your cybersecurity team.
Have a fast and easy way for staff to report suspicious calls and emails, he said. Crooks rarely succeed with a single phishing email or a single pretexting call – they try over and over until they hit the jackpot. If the first person to smell a rat has an effective way to tell the cybersecurity team, that could be all you need to warn everyone else in the company. The only thing worse than being scammed is being scammed and then realizing that all the warning signs were there, if only you had a way to digest them. Introduce two-factor controls for actions such as account recovery.
“Support staff want to be helpful – it’s part of the job – so give them a procedural reason to stop, think, and get official approval from someone else before allowing critical changes such as password recovery or account reset. A little bureaucracy can go an awful long way.”
Twitter Support said in a statement it was caught by “a co-ordinated social engineering attack by people who successfully targeted some of our employees with access to internal systems and tools. We know they used this access to take control of many highly-visible (including verified) accounts and Tweet on their behalf. Once we became aware of the incident, we immediately locked down the affected accounts and removed Tweets posted by the attackers.
There were two kinds of malicious tweets from celebrity accounts: One said “We have partnered with CryptoHealth and are giving back 5000 BTC to the community. See more here” with a link to an infected website. The other said “Everyone is asking me to give back, and now is the time. I am doubling all payments sent to my BTC address for the next 30 minutes. You send $1,000, I send you back $2,000.”
July 16 update: Twitter said Thursday there was no evidence the hackers accessed account passwords, so it won’t force users to change their credentials.
The attack is possibly one of the worst security incidents at Twitter, said Costin Raiu, director of Kaspersky’s global research and analysis team. “We have seen compromises of high profile accounts in the past, which were used to post cryptocurrency-related scams, but they pale in comparison to this one. For instance, @Jack [the account of Twitter CEO Jack Dorsey} was hacked in 2019 through SIM-swap attacks, and President Trump’s account was deleted by a Twitter employee. Yet, the scope of the current attack is much larger, affecting many top accounts, with hundreds of millions of followers combined.
“At this point, a thorough, detailed investigation, made public in the form of a report, would be essential for regaining user trust. An explanation of the breach, step by step, what tricks the attackers used and the vulnerabilities (if any) they exploited, are needed. Some of the information posted by Twitter Support indicates that their employees have been targeted in a social engineering scheme; it’s hard to fathom that Twitter employees wouldn’t have their own access protected by 2FA, so this raises questions about how it would be possible for a social engineering attack to succeed. Last but not least, what steps have been taken in order to secure the platform against future abuses would be essential to regain user confidence. I believe that Twitter will work hard to close any security gaps that might have been used, making similar attacks really hard, if not impossible, to execute in the future.”
The attack puts in question Twitter’s entire internal security system, said Ilia Kolochenko, CEO of ImmuniWeb.”If the attackers got access and managed to steal Twitter’s databases, and are not just opportunistically exploiting an unknown authentication bypass flaw in one of its systems, millions of users and enterprises are at critical risk of highly sophisticated phishing, ransomware, identity theft and many other attacks for the next few years.”
Experts also say the damage from the attack could have been worse: With access to Twitter accounts of Bill Gates, Elon Musk, Uber, Apple, Barak Obama, Kayne West and more the attackers were relatively modest in merely spreading claims that people could double their money by sending bitcoin to a certain address.
“My guess it was some very advanced attackers trying to show off what they could do to these accounts,” said Litan. “The reason they used this bitcoin attack was it was a warning or a threat by some sinister actor. I’ve seen reports that said these were amateurs. They don’t seem like amateurs to me. They seem like they were very sophisticated and they were trying to send a message to Twitter.”
And while early reports said the bitcoin wallet victims were to send money to had quickly racked up over $100,000 dollars, Litan said there are easier ways cybercriminals make money. Which is why she suspects the attack was really a message of capability.
In some ways, the incident combines bitcoin scams and cons that take advantage of the “Cash App” craze. Cash App is a legitimate promo called CashAppFriday or SuperCashAppFriday that promises giveaways of money for leaving comments or retweets. However, scammers are taking advantage of the game by sending cash lures to people who post, such as promising if you send $7 you’ll get $120.
Organizations “really need to put more controls around their insiders. No one should be able to do anything [sensitive] without at least dual sign-off and sometimes triple sign-off, depending on the function. I’m guessing the hackers were able to get credentials into some sensitive systems to take over these high-profile accounts. They either got a password or were able to put malware on the desktop and conduct a man-in-the-browser attack after the user authenticated. All these attacks become much harder when you have to have two people perform any function. And it’s even more difficult when you have three people.
“I’ve seen attacks that beat dual sign-offs. For example, let’s say the put malware on the employee’s desktop and the employee has to put a one-time password in to get into the system the malware just waits for the one-time password to be entered into the system. If they have to do that to two employee desktops it’s much more difficult to co-ordinate, but I’ve seen it done years ago. So they should have triple sign off on critical functions.
“Attach biometrics on every transaction. It comes down to validating access to the system with much stronger security controls. And they do impose a lot of inconvenience on the users, but that’s the price you have to pay when you’re dealing with critical systems. And Twitter is a critical system now. The damage could have been much worse.”