John Pescatore – SANS Director of Emerging Security Trends
This week’s Drilldown focuses on one item (included below) from NewsBites Issue 56, which addressed the highly publicized hack of 45 prominent Twitter accounts. Additional information has come out this week and can be found in the latest NewsBites.
Attackers apparently targeted Twitter IT administrators and were able to obtain their credentials, possibly even compromising Twitter’s claimed use of two-factor authentication for administrators. With that access, the attackers compromised highly visible Twitter accounts and launched bitcoin scams.
There are several factors that make this attack worth focusing on and using to communicate risks to upper management:
- How would your company deal with your CEO’s personal Twitter account or the corporate Twitter (or Instagram, etc.) account being compromised via a similar breach? What if the compromise was on your end?
- How well protected from targeted phishing attacks are your system administrators? How quickly would you notice a compromised admin account? How long would it take to stop the immediate bleeding? How able are you to assess how much damaged was done?
There are larger scale concerns for election systems as we get closer to November, but the focus here is on company and agency impact.
Both of those topics would be ideal for tabletop exercises with your senior management team and/or Board. Preventing phishing attacks and enforcing privilege management and tighter monitoring/stronger authentication often require overcoming objections of, “It can’t be done; it will break everything.” But these days, that is like saying, “We can’t require people to use plastic cards to get money out of the ATM--it will break everything.”
But many companies and agencies have invested in strong processes for blocking or quarantining phishing emails, quickly detecting unusual activity from privileged accounts, and implementing privilege management and application controls.
Focused tabletop exercises can be powerful ways of communicating the level of risk and getting the backing to make the needed changes.
Hackers Hijacked High-Profile Twitter Accounts and Used Them in Bitcoin Scam
(July 15 and 16, 2020)
Hackers took over dozens of high-profile Twitter accounts and used them to tweet that if people sent them bitcoin, they would send back twice as much. These hackers received $120,000 worth of the cryptocurrency before the scam was detected and shut down. Twitter says it believes that the hackers targeted Twitter employees in a "coordinated social engineering attack" to take control of the accounts.
[Neely] The hijacked accounts had "verified" status, which indicates that the account takeover came from the use of Twitter administrator accounts. Multifactor authentication for administrator accounts cannot be optional. Further, limiting where admins can login from should be considered.
[Pescatore] Overall, Twitter has kept its infrastructure pretty secure over the years, but this event would be a good hook for raising the "What security actions are needed if our company will continue to rely on social media in general, and Twitter in particular, as a reliable place for business communications functions?" issue to CXOs and Boards. The flood of disinformation on Twitter, Facebook and others is so high that the risk vs. business value needs to be consciously examined.
[Murray] After an earlier incident like this one, Twitter made a strong authentication option available to its users. These users are the ones for which use of strong authentication is strongly indicated.
[Honan] This is a great example of why it is so important to build restrictions and fail-safes into your systems for high privilege accounts. The CIS Controls for effective cyber defense--and in particular enhanced authentication, verification and alerting on unusual behaviors--are just some of the controls that should be considered to protect these accounts from themselves.
Read more in:
Reuters: Focus falls on bitcoin trail in race to identify Twitter hackers
Wired: A Twitter Hacking Spree Hits Elon Musk, Obama, Apple, and More
ZDNet: Twitter confirms internal tools used in bitcoin-promoting attack
Ars Technica: Twitter lost control of its internal systems to Bitcoin-scamming hackers