For those of us who spend way too much time on Twitter

23/07/2020 • Dotan Bar Noy

Listen to this Post

For those of us who spend way too much time on Twitter, you may have noticed something strange pop up on your timeline late last week.

On Wednesday, July 15th, a long list of celebrities, politicians, and business leaders like Jeff Bezos began posting the same exact tweet:

This post was immediately suspicious as people around the world began asking themselves if Jeff Bezos would ever really “give back to my community.” This couldn’t be right, something was up.

But Amazon’s CEO was far from the only account posting this obvious Bitcoin scam. Former President Barack Obama, Warren Buffet, Kanye West, Elon Musk, and many others had the same post appearing at the top of their timeline.

According to reports, the hackers are believed to have netted under $200k for their trouble as Twitter halted all posting by verified users and cryptocurrency sites like Coinbase blocked some $280,000 from reaching the scammers.

In the days that followed the incident, reporting has indicated that a small team of hackers succeeded in compromising Twitter’s internal tools. This allowed them to lock these users out of their accounts, change passwords and emails, revoke existing 2FA measures, and post away at will until the company pulled the plug. I suggest that you read some of the excellent reporting on this story to get a fuller picture of the story.

Responding to the incident, Twitter posted a thread of updates:

You can read more about their account from this blog post. (P.S. Kudos for the transparency and honesty)

At this point, it is too early to tell whether the attack was carried out through a social engineering operation as described by Twitter’s statement or if they had an insider that knowingly gave them access to the internal controls.

However they gained access to the controls, experts like Brian Krebs have noted that they believe these hackers to be involved in SIM swapping. This is when hackers, usually script kiddies but not exclusively, gain control of a victim’s cell phone number to take control of their social media account and reset their password. Once they have locked the victim out, they can then sell these sought after accounts on sites like OGUsers.

In the case of SIM swapping, it is not uncommon for compromised employees to simply carry out the swapping for cash. No social engineering needed. We know that this short-lived crew was part of OGUsers where this is a standard practice.

On some level, it doesn’t really matter whether the “breach” was made via social engineering or an insider. Twitter has had insider threats in the past and probably will again. In modern security we assume that the perimeter, while not dead as it was described a few years ago, needs to be on the front line of your defense but hardly your last.

The real question, and failure for Twitter from an organizational/security point of view, is how did the compromising of one employee give the attackers access to have such a high level of control over the very, very valuable assets?

In this case we got lucky because, like most cases of malfeasance on the internet, this heist was aimed at getting some ill-gotten cryptocurrency. One of my favourite stories from 2019 was the discovery that a Ukrainian nuclear power plant — which for obvious security reasons was supposed to be air-gapped — was found to be connected to the external internet.

This serious breach of security protocol at a site of critical infrastructure was not a plot by a Russian APT crew to turn off the power in the dead of winter. Instead, it was something much, much more ridiculous. Apparently, a number of employees figured that the computing power at their site was going to waste, so why not harness it to mine some cryptocurrency?

At this point, hacking for crypto mining is a common trope of the internet. Someone does something incredibly risky, but thankfully it’s usually just aimed at making a couple of digital bucks. But honestly, who knows? This whole incident could have been a diversion for a more targeted attack that we will only find out about later, if ever.

As an industry and a public, we need to recognize these events for what they are — clear and present warnings of a threat to national security that should be taken seriously.

Cases of harm coming from dangerous statements from politicians in power are easy to imagine. Think also about what kind of damage could a hacker do by impersonating a CEO of a major corporation and posting that they were selling all of their stock due to some crisis? What if it wasn’t Elon Musk, who we’ve gotten used to doing outlandish stunts at this point, but Bill Gates who also had his account taken over?

So if we want to take it seriously, how should we as companies approach this challenge?

From my perspective, the key lies in a combination of limiting the damage that an attacker can do once they have made it past your barriers through defense at depth, and creating systems that fail gracefully when something does go wrong.

The Principle of Least Privilege tells us that we should grant users within our organization the number of permissions that they need in order to do their job and no more. This is far from an exact science since it forces us to balance between usability and security.

If you give someone within your organization more permission than they need, then it will probably reduce a lot of friction since they won’t have to spend time requesting access. The downside is that it raises your level of risk. The converse is equally true since locking down access too harshly can bring productivity to a grinding halt.

Interestingly, organizations’ assumptions about who needs to have the most privileged access are often based on company hierarchy over actual needs. If you think about it for a minute, does your CEO really need regular access to your servers? Probably not and it raises the level of risk to give him or her wide-reaching access without the operational need.

The more permissions that are granted, the harder they become to manage securely.

In the case of the Twitter hack, my question (which may never be answered) is how many employees have access to change passwords on user accounts? Is there any consideration given by Twitter to VIP-level accounts when it comes to providing additional security measures? How are they going to keep service running the next time that an attack occurs?

My hope is that the attackers got lucky and found the one Twitter admin who had singular access to these accounts. Unfortunately, I doubt that this was a fluke. Moving forward, I hope that someone within that company moves to segment access to high-value accounts to a small team, and that if their internal admin tools are compromised for their less critical users, that these riskier accounts will not be impacted.

 

I should note that not all blue checkmarked (or white checkmarks on the blue background if you want to be pedantic about it) have the same level of risk. Twitter might consider launching an initiative similar to Google’s Advanced Protection Program that provides people that they have identified as having higher levels of risk (journalists, activists, etc) with additional security measures and services.

Along with policy measures, there are some tools that they can use to identify attackers quicker and limit the damage. There are more than a few great companies out there offering solutions from different angles that are worth considering.

From the lateral movement domain, we have great products from Pcysys, XM cyber, Safebreach and cymulate to name a few.

If you are looking for authentication solutions, then Silverfort and Secret Double Octopus are essential to check out.

I would be remiss if I didn’t mention great open source tools like Cartography or BloodHound that help you to visualize the relationships between assets.

Moving forward, we need to utilize prescriptive, and not predictive, analytics that will help us to make better decisions. But that’s fodder for another post at a later date.

We need technology that helps us to identify red flags. If numerous high-profile accounts are acting suspiciously — changing their passwords or associated email/phone number for example — then alarm bells should be ringing that an attack is imminent.

Maybe find a way to identify when some of these VIP accounts post cryptocurrency wallet addresses and automatically prevent them from going live. These addresses are distinct enough from the usual posts of someone like Bill Gates or Joe Biden that odds are that they are not the ones posting them. Again, sometimes Musk is just going to Musk.

These are just a few suggestions of steps that we can take to limit the damage of the next attack. And there will be more. Platforms like Twitter play an outsized role in global conversations and will continue to be targeted.

The only question is when the next incident occurs, will companies like Twitter take the necessary steps to mitigate their risk and reduce the possible level of damage?

Time will tell, but until then, keep safe out there folks.

Dotan Bar Noy

Next read

Download
Solution Brief

Learn how Authomize's solution is changing the way companies are managing authorizations

Download