A New York state regulator has slammed Twitter for poor cybersecurity protection that allowed young hackers to seize control of several celebrities’ accounts in July to run a “double your bitcoin” scam.
“Given that Twitter is a publicly-traded, US$37 billion technology company, it was surprising how easily the hackers were able to penetrate Twitter’s network and gain access to internal tools allowing them to take over any Twitter user’s account,” said the report by the Department of Financial Services.
“Indeed, the hackers used basic techniques more akin to those of a traditional scam artist: phone calls where they pretended to be from Twitter’s Information Technology department. The extraordinary access the Hackers obtained with this simple technique underscores Twitter’s cybersecurity vulnerability and the potential for devastating consequences. Notably, the Twitter Hack did not involve any of the high-tech or sophisticated techniques often used in cyberattacks–no malware, no exploits, and no backdoors.”
In particular, it slammed the company for not having a CISO for seven months before the attack. “A lack of a CISO sends the message that cybersecurity is not a top priority from senior leadership,” says the report.
The hackers — who are facing criminal charges — took over the Twitter accounts of politicians, celebrities, and entrepreneurs, including Barack Obama, Kim Kardashian West, Jeff Bezos, and Elon Musk, as well as Twitter accounts of several cryptocurrency companies regulated by the New York State Department of Financial Services.
What worries the regulator is there are well-documented examples of social media being used to manipulate markets and interfere with elections, often with the simple use of a single compromised account or a group of fake accounts.
“The Twitter Hack demonstrates the need for strong cybersecurity to curb the potential weaponization of major social media companies. But our public institutions have not caught up to the new challenges posed by social media. While policymakers focus on antitrust and content moderation problems with large social media companies, their cybersecurity is also critical. In other industries that are deemed critical infrastructure, such as telecommunications, utilities, and finance, we have established regulators and regulations to ensure that the public interest is protected. With respect to cybersecurity, that is what is needed for large, systemically important social media companies.”
The attack started on the afternoon of July 14 when one or more hackers called several Twitter employees and claimed to be from the company’s help desk responding to a reported problem the staffer was having with Twitter’s virtual private network. Since switching to remote working, VPN problems were common at Twitter. The hackers then tried to direct the employee to a phishing website that looked identical to the real Twitter VPN website and was hosted by a similarly named domain. As the employee entered their credentials into the phishing website, they would simultaneously enter the information into the real Twitter website.
For protection, Twitter strengthens logins by making employees use multi-factor authentication. However, because the hackers were logging into the real site, if a staffer entered their MFA code on the fake site, the attackers could copy it into the real site.
To aid the attack, the hackers used personal information about the employees to convince them that the callers were real Twitter staff and could, therefore, be trusted. The report doesn’t say how the attackers got this information other than speculating it did research to identify staffers and their titles.
Some were suspicious
While some employees were suspicious and reported the calls to Twitter’s internal fraud monitoring team, at least one employee fell for the scam. Getting into this person’s corporate account didn’t get the attackers what they wanted, which was the ability to take over celebrity Twitter accounts. They took the time to wander around Twitter’s internal websites and learn more about the company’s systems. That gained them information about how to access other internal applications.
On July 15, the hackers targeted Twitter employees who had access to certain internal tools to help take over accounts. Some of them were part of the department responsible, in part, for responding to sensitive global legal requests, such as court orders or content removal requests, as well as for developing and enforcing policies to prohibit abusive online behaviour.
Initially, the hackers went after valuable so-called “original gangster” (“OG”) Twitter usernames, which are usually designated by a single word, letter, or number and adopted by Twitter’s early users. Access to a hijacked OG account could be resold for bitcoin. To show off their prowess, the hackers tweeted screenshots of one of the internal tools from some of the accounts.
Next, the hackers upped their game, going after “verified” accounts of well-known people who want the blue verified badge as a source of authenticity. But a hacked verified account would make fraudulent demands for bitcoin appear more legitimate. The first hijacked verified account belonged to a cryptocurrency trader—direct messages sent from that account asking for 0.01 bitcoin for trading information. After hijacking Twitter accounts of cryptocurrency exchanges, the hackers sent tweets suggesting a bitcoin giveaway, with a link to a scam address. Finally, the attackers gained access to verified accounts of celebrities and fired tweets with the scam offer to millions of their followers.
Exchanges moved quickly
Overall, 130 Twitter user accounts were compromised. Of those, 45 accounts were used to send tweets. Hackers also downloaded data from seven of those accounts through Twitter’s “Your Twitter Data” (“YTD”) tool, which provides a summary of a Twitter account’s details and activity.
The report says the hackers stole approximately US$118,000 worth of bitcoin through the scam.
The report credits cryptocurrency exchanges whose Twitter accounts were hacked with responding quickly to block impacted addresses after being notified by the regulator. Still, Gemini, Square, and Coinbase said that a handful of customers fell for the scam and transferred $22,000 in bitcoin to the hackers’ accounts.
But it came down hard on Twitter, particularly for not having a CISO for seven months before the hack. “A lack of strong leadership and senior-level engagement is a common source of cybersecurity weaknesses. Strong leadership is especially needed in 2020 when the COVID-19 pandemic has created a host of new challenges for IT and cybersecurity. Like many organizations, in March, Twitter transitioned to remote working due to the pandemic. This transition made Twitter more vulnerable to a cyberattack and compounded existing weaknesses.”
‘Didn’t implement significant compensating controls”
Early in the year, the department issued guidance to its regulated firms to identify and assess the new security risks created by remote working because of the pandemic, the report indicated. But Twitter was dragging its heels.
“Twitter did not implement any significant compensating controls after March to mitigate this heightened risk to its remote workforce, and the hackers took advantage.
“To its credit, Twitter has advised the Department that it is now implementing additional security controls to prevent similar attacks in the future, such as improved MFA and additional training on cybersecurity awareness, and in late September 2020, it announced the hire of a new CISO. But the consequences of the Twitter Hack show why it is critical for Twitter and other social media companies to implement robust controls before they experience a cyber incident, not after.”
Among the report’s recommendations are that cryptocurrency exchanges have to proactively identify and quickly block addresses known to be used by fraudsters. It also says that — where possible — some companies are restricting cryptocurrency asset transfers only to addresses that have already been approved. However, adding a new address can take a day or more.
“Twitter’s access management and authentication failed to prevent unsophisticated hackers from getting to the powerful internal tools,” the report notes. While Twitter limit access to the internal tools, over 1,000 employees still had access to them for job functions, user account maintenance and support, content review, and responses to reports of Twitter Rules violations. Since the hack, Twitter has further limited the number of employees with access to internal tools, even though it caused a slowdown of some job functions.
The report also says Twitter has abandoned application-based MFA in favour of a physical security key.
Finally, the report suggests a U.S. federal regulator be created to oversee social media platforms. “The risks posed by social media to our consumers, economy, and democracy are no less grave than the risks posed by large financial institutions,” it argues. “The scale and reach of these companies, combined with the ability of adversarial actors who can manipulate these systems, require a similarly bold and assertive regulatory approach.”
The post Twitter slammed by U.S. regulator over bitcoin scam first appeared on IT World Canada.
Unless you’re a hermit who lives under a rock, you probably use social media in some form or the other. You’re not alone; recent statistics reveal that you’re among 3.5 billion social media users worldwide. And it’s a rapidly increasing number that already constitutes half the world’s population. Social media…
Social media is a fraudster’s heaven. There are billions of targets – Facebook itself had over 2.6 billion monthly active users in the first quarter of 2020. Because of the very nature of these platforms, users can be quite careless about the amount of personal information they post. For cybercriminals,…
The standout hack of July 2020, and possibly of the year, was the takeover of 45 celebrity Twitter accounts, in a bid to scam their millions of followers by requesting Bitcoin in tweets.
While the Twitter hack and scam dominated media headlines around the world, the attack was not the 'highly sophisticated cyber-attack' as reported by many media outlets, but it was certainly bold and clever. The attackers phoned Twitter administrative staff and blagged (socially engineered) their Twitter privilege account credentials out of them, which in turn gave the attackers access to Twitter's backend administrative system and to any Twitter account they desired. It is understood this Twitter account access was sold by a hacker on the dark web to a scammer in the days before the attack, that scammer(s) orchestrated a near-simultaneous Bitcoin scam tweets to be posted from the high profile accounts. On 31st July, law enforcement authorities charged three men for the attack, with one of the suspects disclosed as a 19-year British man from Bognor Regis.
There was a very serious critical Windows vulnerability disclosed as part the July 2020 Microsoft 'Patch Tuesday' security update release. Dubbed "SIGRed", it is a 17-year-old Remote Code Execution (RCE) vulnerability in Windows Domain Name System (DNS), a component commonly present in Microsoft Windows Server 2008, 2012, 2012R2, 2016 and 2019. Disclosed as CVE-2020-1350 it was given the highest possible CVSS score of 10.0, which basically means the vulnerability is “easy to attack” and “likely to be exploited”, although Microsoft said they hadn't seen any evidence of its exploitation at the time of their patch release.
Given SIGRed is a wormable vulnerability, it makes it particularly dangerous, as wormable malware could exploit the vulnerability to rapidly spread itself over flat networks without any user interaction, as per the WannaCry attack on the NHS and other large organisations. Secondly, it could be used to exploit privilege level accounts (i.e. admin accounts found on Servers). The Microsoft CVE-2020-1350 vulnerability can be mitigated on effected systems by either applying the Microsoft Windows DNS Server Microsoft released patch (https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1350 or by applying a Registry Workaround (https://support.microsoft.com/en-us/help/4569509/windows-dns-server-remote-code-execution-vulnerability)
As expected, the UK Government ordered UK mobile network operators to remove all Huawei 5G equipment by 2027, and banning their purchase of Huawei 5G network equipment after 31st December 2020. Digital Secretary Oliver Dowden said it follows sanctions imposed by the United States, which claims the Chinese firm poses a national security threat, which Huawei continues to resolutely deny. The ban is expected to delay the UK's 5G rollout by a year. "This has not been an easy decision, but it is the right one for the UK telecoms networks, for our national security and our economy, both now and indeed in the long run," he said.
- BT says 'impossible' to remove all Huawei kit in under 10 years
- The UK faces mobile blackouts if Huawei 5G ban imposed by 2023
- Huawei ban 'would depress GDP and spark inflation', think tank warns
- Huawei: The company and the security risks explained
- Huawei U-turn: Cyberattacks, levies and other possible repercussions of the UK's 5G move
Russian Hacking Group (APT 29) was jointly accused of targeting the theft of coronavirus vaccine research by the UK NCSC, the Canadian Communication Security Establishment (CSE), United States Department for Homeland Security (DHS), Cyber-security Infrastructure Security Agency (CISA) and the US National Security Agency (NSA). The UK's National Cyber Security Centre (NCSC) said the hackers "almost certainly" operated as "part of Russian intelligence services". It did not specify which research organisations had been targeted, or whether any coronavirus vaccine research data was taken, but it did say vaccine research was not hindered by the hackers. Russia's ambassador to the UK has rejected allegations, "I don't believe in this story at all, there is no sense in it," Andrei Kelin told the BBC's Andrew Marr Show. While Foreign Secretary Dominic Raab said it is "very clear Russia did this", adding that it is important to call out this "pariah-type behaviour".
Yet another big data exposure caused by a misconfigured AWS S3 bucket was found by security researchers, one million files of Fitness Brand 'V Shred' was discovered exposed to the world, including the personal data of 99,000 V Shred customers. Interestingly V Shred defended the researcher findings by claiming it was necessary for user files to be publicly available and denied that any PII data had been exposed.
- Twitter Hack & Scam
- Returning to the Workplace and the Ongoing Threat of Phishing Attacks
- iPhone Hacks: What You Need to Know About Mobile Security
- Mind the Gaps! The Requisite Mindset to Stay Ahead of Cybersecurity Threats
- How to Embed a Positive Security Culture in the COVID-19 Remote Working ‘New Normal'
- Cyber Security Roundup for July 2020
- 45 High Profile Twitter Accounts Hacked and Used to Scam Followers
- Blackbaud Hack: Universities Lose Data to Ransomware Attack
- Russian Hacking Group (APT 29) is Targeting Coronavirus Research Theft
- Huawei 5G kit must be removed from the UK by 2027
- Hacker Ransoms 23k MongoDB Databases and Threatens to contact GDPR Authorities
- Hackers try to Steal £1m Transfer Fee during Football Club Cyber Attack
- Dave ShinyHunters Hack Exposes 7.5 Million User Records
- Smartwatch Maker Garmin took Offline by Cyber Attack
- Open S3 Bucket Exposes One Million Files of Fitness Brand V Shred
- SEI Investments Customer Data Exposed in Ransomware Attack on Vendor
- Microsoft Patches 123 Vulnerabilities
- Microsoft Critical Warning to Fix Wormable Bug “SIGRed”
- Adobe Patch Tuesday: Adobe eliminates Four Critical Bugs
- Adobe Fixes 12 Critical Bugs in Second Round of July Patches
- Adobe mends Critical Code Execution Flaws in Magento
- Cisco Patches Severe Traversal Vulnerability Exploited in the Wild
- ‘Boothole’ Threatens Billions of Linux, Windows Devices
- Survey of 127 Routers’ Vulnerabilities: Remote Workers Warned over Security Flaws
- Dacls RAT’s Goals are to Steal Customer Data and Spread Ransomware
- GoldenSpy: Chinese Tax Software found to Dish Out Backdoor Malware
- Report: The Cost of Ransomware in 2020. A Country-by-Country Analysis
Twitter confirmed 130 celebrity Twitter accounts were targeted in the cyberattack on Wednesday 15th July, with 45 successfully compromised. The hacked Twitter accounts included high profile individuals such as Barack Obama, Elon Musk, Kanye West, Bill Gates, Jeff Bezos, Warren Buffett, Kim Kardashian, and Joe Biden. Their accounts were used to send a tweet to scam Bitcoin out of their millions of followers.
|Scam Social Engineering Tweet sent from Bill Gates' Twitter Account|
|Security researchers at Hudson Rock spotted Twitter Hack advertisement|
Update as of 18th July 2020
Twitter confirmed the perpetrators used its administration tools to orchestrate the attack and had downloaded data from up to eight of the accounts involved, but said none of these accounts was "verified" high profile accounts.
A New York Times article suggested at least two of the attackers are from England. The attackers successfully manipulated a small number of employees and used their credentials to access Twitter's internal systems
Twitter's statement said "The attackers successfully manipulated a small number of employees and used their credentials to access Twitter's internal systems. We are continuing our investigation of this incident, working with law enforcement, and determining longer-term actions we should take to improve the security of our systems. We're embarrassed, we're disappointed, and more than anything, we're sorry."
Facts Twitter confirmed
- Attackers were not able to view previous account passwords, as those are not stored in plain text or available through the tools used in the attack.
- Attackers were able to view personal information including email addresses and phone numbers, which are displayed to some users of our internal support tools.
- In cases where an account was taken over by the attacker, they may have been able to view additional information. Forensic investigation of these activities is still ongoing.
This incident illustrates the loophole with identity and access management such that if a user account is compromised, data is left unprotected. This loophole can be closed by taking a data-centric approach to security, where information is automatically protected, with authenticated encryption built right into the data. This means that even unencrypted files, when changed or moved, will immediately be encrypted so that, if stolen, they will appear to be garbage to the thief.
A compromised user account still has access to data, but it remains encrypted all the time, even when in use. When copied from its ‘safe’, access-controlled location - even if that's outside the organisation - the data remains encrypted and therefore useless. No ransom, no embarrassing disclosures, no legal action.
Liviu Arsene, Global Cybersecurity Researcher at Bitdefender said with attackers successfully compromising high-profile Twitter accounts that potentially also had two-factor authentication can only point to a coordinated cyberattack at Twitter’s employees and systems. It’s likely this could be a result of attackers exploiting the work-from-home context, in which employees are far more likely to fall prey to scams and spearphishing emails that end up compromising devices and ultimately company systems.
This high-profile Twitter breach could be the result of a spray-and-pray spear-phishing campaign that landed some opportunistic cybercriminals the could potentially be the hack of the year for Twitter. They could have done potentially far more damage. Instead, by delivering a simple Bitcoin scam, we could be looking at attackers that wanted to quickly monetize their access, instead of a highly coordinated and sophisticated operation performed by an APT group.
If this is the case, it’s likely that more companies could potentially be breached as a result of cybercriminals phishing employees. With 50% of organizations not having a plan for supporting and quickly migrating employees and infrastructure to full remote work, we’re probably going to see more data breaches that either exploit employee negligence or infrastructure misconfigurations left behind during the work from home transition.
While large organizations may have strong perimeter security defences, security professionals mostly worry that a potential breach could occur because of attackers exploiting the weakest link in the cybersecurity chain: the human component.
Tony Pepper, CEO of Egress said Twitter has suffered a co-ordinated attack targeting its employees "with access to internal systems and tools" is deeply concerning. However, screenshots obtained from two sources who took over accounts which suggest that this breach was caused by an intentionally malicious insider adds an additional layer of concern and complexity to this saga.
In our 2020 Insider Data Breach, we found that 75% of IT leaders surveyed believe employees have put data at risk intentionally in the past year and this latest breach seems to bear out those beliefs.
So, what can security professionals do to prevent this risk and keep sensitive data out of the reach of malicious threat actors? Organisations have an opportunity to do more by understanding the ‘human layer’ of security, including breach personas and where different risks lie. Technology needs to do more by providing insight into how sensitive data in the organisation is being handled and identifying risks, including human-activated threats.
By spotting the characteristics of a potentially malicious insider and being aware of what they are susceptible to and motivated by, organisations can put the tactics, techniques, and technology in place to mitigate the risk.
The Highlighter™ Super Users series is a little something I've put together to reach out to the Highlighter community. As a user of this freeware tool from Mandiant, I want you to know there are many users out there who can help you get through your log analysis paralysis. This series is meant to highlight (see what I did there?) how some users have solved a various range of problems using Highlighter. These interviews will provide insight into the benefits and pitfalls of using Highlighter, some features you may not be aware of, and a few use cases you may not have considered.
Super User Interview #1: Ken Johnson
Ken Johnson is one of Highlighter's Twitter-friendly users. He is a malware analyst and incident responder extraordinaire; fighting evil one keyword search at a time. Known as @patories on Twitter, I reached out to him and asked some questions about his experience using Highlighter.
Realm of work
My primary work is focused on malware analysis and incident response. Occasionally I also do some forensics work.
How did you hear about Highlighter?
I first saw Highlighter when I was familiarizing myself with free tools. I have used Memoryze™ previously.
Do you know of any other tools that do what Highlighter does?
Highlighter is the only tool I know of, and it does what I need so I haven't looked for others.
How do you normally use Highlighter?
I use Highlighter to trim out known good traffic from proxy logs. This helps get to the unknown stuff quicker. When logs can be multiple gigabytes this is a time saver.
Can you describe one scenario in which Highlighter helped you
find evil and/or solve crime?
On more than one occasion I have used Highlighter to narrow down proxy log traffic to find connections that are malicious. There was an instance about 2 months ago where users fell for a Phish. We used Highlighter to find the C&C IP's that machines kept calling home to, by filtering out what was normal and analyzing what was left. Highlighter helped find almost 50 IP/URLS that were malicious.
On a scale from 1 (worst) to 5 (best), how well does
Highlighter address your use case(s)?
I would have to give Highlighter a 4.
What is missing from Highlighter for your use case(s)?
I would like to have the ability to whitelist traffic so I do not have to manually keep removing internal hosts that we see. This may be in the program and I have not found it.
What is one Highlighter feature addition that would serve the
Information Security community best?
I think the ability to whitelist hostnames would be a nice addition.
Are you aware of, or have you used, any of the following features:
Activity Over Time feature that lets you view log data as a
function of Entries Per Day
No, I was not aware of this one.
Ability to change basic font settings for your output
I know it is there, but for my use this is never used.
- Activity Over Time feature that lets you view log data as a function of Entries Per Day
Have you ever seen Highlighter used in such a way that your
eyeballs melted from all the Awesome?
I have only seen myself use it, but I have seen my co-workers eyeballs melt when I show them the awesomeness that they can do. Some are still stuck in the grep world...
Keep an eye out for the second post in the Highlighter Super Users Series featuring Russ McRee, author of ISSA Journal's toolsmith series and mastermind behind www.holisticinfosec.org. If you're interested in sharing your own experiences with this tool, please let me know by commenting below.