Category Archives: Twitter

Researchers: LinkedIn, Instagram Vulnerable to Preview-Link RCE Security Woes

Popular chat apps, including LINE, Slack, Twitter DMs and others, can also leak location data and share private info with third-party servers.

Cybercriminals Step Up Their Game Ahead of U.S. Elections

Ahead of the November U.S. elections, cybercriminals are stepping up their offensive in both attacks against security infrastructure and disinformation campaigns - but this time, social media giants, the government and citizens are more prepared.

Twitter slammed by U.S. regulator over bitcoin scam

A New York state regulator has slammed Twitter for poor cybersecurity protection that allowed young hackers to seize control of several celebrities’ accounts in July to run a  “double your bitcoin” scam.

“Given that Twitter is a publicly-traded, US$37 billion technology company, it was surprising how easily the hackers were able to penetrate Twitter’s network and gain access to internal tools allowing them to take over any Twitter user’s account,” said the report by the Department of Financial Services.

“Indeed, the hackers used basic techniques more akin to those of a traditional scam artist: phone calls where they pretended to be from Twitter’s Information Technology department. The extraordinary access the Hackers obtained with this simple technique underscores Twitter’s cybersecurity vulnerability and the potential for devastating consequences. Notably, the Twitter Hack did not involve any of the high-tech or sophisticated techniques often used in cyberattacks–no malware, no exploits, and no backdoors.”

In particular, it slammed the company for not having a CISO for seven months before the attack. “A lack of a CISO sends the message that cybersecurity is not a top priority from senior leadership,” says the report.

The hackers — who are facing criminal charges — took over the Twitter accounts of politicians, celebrities, and entrepreneurs, including Barack Obama, Kim Kardashian West, Jeff Bezos, and Elon Musk, as well as Twitter accounts of several cryptocurrency companies regulated by the New York State Department of Financial Services.

What worries the regulator is there are well-documented examples of social media being used to manipulate markets and interfere with elections, often with the simple use of a single compromised account or a group of fake accounts.

“The Twitter Hack demonstrates the need for strong cybersecurity to curb the potential weaponization of major social media companies. But our public institutions have not caught up to the new challenges posed by social media. While policymakers focus on antitrust and content moderation problems with large social media companies, their cybersecurity is also critical. In other industries that are deemed critical infrastructure, such as telecommunications, utilities, and finance, we have established regulators and regulations to ensure that the public interest is protected. With respect to cybersecurity, that is what is needed for large, systemically important social media companies.”

Related:

Twitter attack shows need to better protect admin accounts [Full story]

 

The attack started on the afternoon of July 14 when one or more hackers called several Twitter employees and claimed to be from the company’s help desk responding to a reported problem the staffer was having with Twitter’s virtual private network. Since switching to remote working, VPN problems were common at Twitter. The hackers then tried to direct the employee to a phishing website that looked identical to the real Twitter VPN website and was hosted by a similarly named domain. As the employee entered their credentials into the phishing website, they would simultaneously enter the information into the real Twitter website.

For protection, Twitter strengthens logins by making employees use multi-factor authentication. However, because the hackers were logging into the real site, if a staffer entered their MFA code on the fake site, the attackers could copy it into the real site.

To aid the attack, the hackers used personal information about the employees to convince them that the callers were real Twitter staff and could, therefore, be trusted. The report doesn’t say how the attackers got this information other than speculating it did research to identify staffers and their titles.

Some were suspicious

While some employees were suspicious and reported the calls to Twitter’s internal fraud monitoring team, at least one employee fell for the scam. Getting into this person’s corporate account didn’t get the attackers what they wanted, which was the ability to take over celebrity Twitter accounts. They took the time to wander around Twitter’s internal websites and learn more about the company’s systems. That gained them information about how to access other internal applications.

On July 15, the hackers targeted Twitter employees who had access to certain internal tools to help take over accounts. Some of them were part of the department responsible, in part, for responding to sensitive global legal requests, such as court orders or content removal requests, as well as for developing and enforcing policies to prohibit abusive online behaviour.

Initially, the hackers went after valuable so-called “original gangster” (“OG”) Twitter usernames, which are usually designated by a single word, letter, or number and adopted by Twitter’s early users.  Access to a hijacked OG account could be resold for bitcoin. To show off their prowess, the hackers tweeted screenshots of one of the internal tools from some of the accounts.

Next, the hackers upped their game, going after “verified” accounts of well-known people who want the blue verified badge as a source of authenticity. But a hacked verified account would make fraudulent demands for bitcoin appear more legitimate. The first hijacked verified account belonged to a cryptocurrency trader—direct messages sent from that account asking for 0.01 bitcoin for trading information. After hijacking Twitter accounts of cryptocurrency exchanges, the hackers sent tweets suggesting a bitcoin giveaway, with a link to a scam address. Finally, the attackers gained access to verified accounts of celebrities and fired tweets with the scam offer to millions of their followers.

Exchanges moved quickly

Overall, 130 Twitter user accounts were compromised. Of those, 45 accounts were used to send tweets. Hackers also downloaded data from seven of those accounts through Twitter’s “Your Twitter Data” (“YTD”) tool, which provides a summary of a Twitter account’s details and activity.

The report says the hackers stole approximately US$118,000 worth of bitcoin through the scam.

The report credits cryptocurrency exchanges whose Twitter accounts were hacked with responding quickly to block impacted addresses after being notified by the regulator. Still, Gemini, Square, and Coinbase said that a handful of customers fell for the scam and transferred $22,000 in bitcoin to the hackers’ accounts.

But it came down hard on Twitter, particularly for not having a CISO for seven months before the hack. “A lack of strong leadership and senior-level engagement is a common source of cybersecurity weaknesses. Strong leadership is especially needed in 2020 when the COVID-19 pandemic has created a host of new challenges for IT and cybersecurity. Like many organizations, in March, Twitter transitioned to remote working due to the pandemic. This transition made Twitter more vulnerable to a cyberattack and compounded existing weaknesses.”

‘Didn’t implement significant compensating controls”

Early in the year, the department issued guidance to its regulated firms to identify and assess the new security risks created by remote working because of the pandemic, the report indicated. But Twitter was dragging its heels.

“Twitter did not implement any significant compensating controls after March to mitigate this heightened risk to its remote workforce, and the hackers took advantage.

“To its credit, Twitter has advised the Department that it is now implementing additional security controls to prevent similar attacks in the future, such as improved MFA and additional training on cybersecurity awareness, and in late September 2020, it announced the hire of a new CISO. But the consequences of the Twitter Hack show why it is critical for Twitter and other social media companies to implement robust controls before they experience a cyber incident, not after.”

Among the report’s recommendations are that cryptocurrency exchanges have to proactively identify and quickly block addresses known to be used by fraudsters. It also says that — where possible — some companies are restricting cryptocurrency asset transfers only to addresses that have already been approved. However, adding a new address can take a day or more.

“Twitter’s access management and authentication failed to prevent unsophisticated hackers from getting to the powerful internal tools,” the report notes. While Twitter limit access to the internal tools, over 1,000 employees still had access to them for job functions, user account maintenance and support, content review, and responses to reports of Twitter Rules violations. Since the hack, Twitter has further limited the number of employees with access to internal tools, even though it caused a slowdown of some job functions.

The report also says Twitter has abandoned application-based MFA in favour of a physical security key.

Finally, the report suggests a U.S. federal regulator be created to oversee social media platforms. “The risks posed by social media to our consumers, economy, and democracy are no less grave than the risks posed by large financial institutions,” it argues. “The scale and reach of these companies, combined with the ability of adversarial actors who can manipulate these systems, require a similarly bold and assertive regulatory approach.”

The post Twitter slammed by U.S. regulator over bitcoin scam first appeared on IT World Canada.

Answer these questions to find out how safe your social media profiles are

Unless you’re a hermit who lives under a rock, you probably use social media in some form or the other. You’re not alone; recent statistics reveal that you’re among 3.5 billion social media users worldwide. And it’s a rapidly increasing number that already constitutes half the world’s population. Social media…

How social media is used to commit financial fraud

Social media is a fraudster’s heaven. There are billions of targets – Facebook itself had over 2.6 billion monthly active users in the first quarter of 2020. Because of the very nature of these platforms, users can be quite careless about the amount of personal information they post. For cybercriminals,…

Cyber Security Roundup for August 2020

A roundup of UK focused Cyber and Information Security News, Blog Posts, Reports and general Threat Intelligence from the previous calendar month, July 2020.

The standout hack of July 2020, and possibly of the year, was the takeover of 45 celebrity Twitter accounts, in a bid to scam their millions of followers by requesting Bitcoin in tweets. 
Twitter confirms internal tools used in bitcoin-promoting attack ...
Scam Tweet
The high-profile Twitter accounts compromised included Barack Obama, Elon Musk, Kanye West, Bill Gates, Jeff Bezos, Warren Buffett, Kim Kardashian, and Joe Biden. Around £80,000 of Bitcoin was sent to the scammer's Bitcoin account before Twitter swiftly took action by deleting the scam tweets and blocking every 'blue tick' verified Twitter user from tweeting, including me

While the Twitter hack and scam dominated media headlines around the world, the attack was not the 'highly sophisticated cyber-attack' as reported by many media outlets, but it was certainly bold and clever. The attackers phoned Twitter administrative staff and blagged (socially engineered) their Twitter privilege account credentials out of them, which in turn gave the attackers access to Twitter's backend administrative system and to any Twitter account they desired. It is understood this Twitter account access was sold by a hacker on the dark web to a scammer in the days before the attack, that scammer(s) orchestrated a near-simultaneous Bitcoin scam tweets to be posted from the high profile accounts. On 31st July, law enforcement authorities charged three men for the attack, with one of the suspects disclosed as a 19-year British man from Bognor Regis.

There was a very serious critical Windows vulnerability disclosed as part the July 2020 Microsoft 'Patch Tuesday' security update release. Dubbed "SIGRed", it is a 17-year-old Remote Code Execution (RCE) vulnerability in Windows Domain Name System (DNS), a component commonly present in Microsoft Windows Server 2008, 2012, 2012R2, 2016 and 2019. Disclosed as CVE-2020-1350 it was given the highest possible CVSS score of 10.0, which basically means the vulnerability is “easy to attack” and “likely to be exploited”, although Microsoft said they hadn't seen any evidence of its exploitation at the time of their patch release.

Given SIGRed is a wormable vulnerability, it makes it particularly dangerous, as wormable malware could exploit the vulnerability to rapidly spread itself over flat networks without any user interaction, as per the WannaCry attack on the NHS and other large organisations. Secondly, it could be used to exploit privilege level accounts (i.e. admin accounts found on Servers).  The Microsoft CVE-2020-1350 vulnerability can be mitigated on effected systems by either applying the Microsoft Windows DNS Server Microsoft released patch (https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1350 or by applying a Registry Workaround (https://support.microsoft.com/en-us/help/4569509/windows-dns-server-remote-code-execution-vulnerability)

At least 10 universities in the UK had student data stolen after hackers attacked Blackbaud, an education-focused cloud service provider. UK universities impacted included York, Loughborough, Leeds, London, Reading, Exeter and Oxford. According to the BBC News website, Blackbaud said "In May of 2020, we discovered and stopped a ransomware attack. Prior to our locking the cyber-criminal out, the cyber-criminal removed a copy of a subset of data from our self-hosted environment."

As expected, the UK Government ordered UK mobile network operators to remove all Huawei 5G equipment by 2027, and banning their purchase of Huawei 5G network equipment after 31st December 2020.  Digital Secretary Oliver Dowden said it follows sanctions imposed by the United States, which claims the Chinese firm poses a national security threat, which Huawei continues to resolutely deny. The ban is expected to delay the UK's 5G rollout by a year. "This has not been an easy decision, but it is the right one for the UK telecoms networks, for our national security and our economy, both now and indeed in the long run," he said. 
In some media quarters, it was suggested the UK u-turn on Huawei could lead to cyberattack repercussions after Reuter's said its sources confirmed China was behind cyberattacks on Australia's critical national infrastructure and government institutions following their trade dispute with China.

Russian Hacking Group (APT 29) was jointly accused of targeting the theft of coronavirus vaccine research by the UK NCSC, the Canadian Communication Security Establishment (CSE), United States Department for Homeland Security (DHS), Cyber-security Infrastructure Security Agency (CISA) and the US National Security Agency (NSA). The UK's National Cyber Security Centre (NCSC) said the hackers "almost certainly" operated as "part of Russian intelligence services". It did not specify which research organisations had been targeted, or whether any coronavirus vaccine research data was taken, but it did say vaccine research was not hindered by the hackers. Russia's ambassador to the UK has rejected allegations, "I don't believe in this story at all, there is no sense in it," Andrei Kelin told the BBC's Andrew Marr Show. While Foreign Secretary Dominic Raab said it is "very clear Russia did this", adding that it is important to call out this "pariah-type behaviour". 

UK sport said hackers tried to steal a £1 million club transfer fee and froze turnstiles at a football game. Cybercriminals hacked a Premier League club managing director's email account during a player transfer negotiation, the million-pound theft was only thwarted by a last-minute intervention by a bank.  Another English football club was targeted by a ransomware attack which stopped its turnstiles and CCTV systems from working, which nearly resulted in a football match being postponed. Common tactics used by hackers to attack football clubs include compromising emails, cyber-enabled fraud and ransomware to shutting down digital systems. For further information on this subject, see my extensive blog post on football club hacking, The Billion Pound Manchester City Hack.

Smartwatch maker Garmin, had their website, mobile app and customer service call centres taken down by ransomware on 23rd July 2020. Reports suggest the fitness brand had been hit by the WastedLocker ransomware strain, which is said to have been developed by individuals linked to a Russia-based hacking group called 'Evil Corp'.  According to Bleeping Computer, Garmin paid $10 million to cybercriminals to receive decryption keys for the malware on 24th or 25th July 2020.

Yet another big data exposure caused by a misconfigured AWS S3 bucket was found by security researchers, one million files of Fitness Brand 'V Shred' was discovered exposed to the world, including the personal data of 99,000 V Shred customers. Interestingly V Shred defended the researcher findings by claiming it was necessary for user files to be publicly available and denied that any PII data had been exposed.

BLOG

NEWS
VULNERABILITIES AND SECURITY UPDATES
AWARENESS, EDUCATION AND THREAT INTELLIGENCE

Twitter Hack & Scam

What Happened?
Twitter confirmed 130 celebrity Twitter accounts were targeted in the cyberattack on Wednesday 15th July, with 45 successfully compromised. The hacked Twitter accounts included high profile individuals such as Barack Obama, Elon Musk, Kanye West, Bill Gates, Jeff Bezos, Warren Buffett, Kim Kardashian, and Joe Biden. Their accounts were used to send a tweet to scam Bitcoin out of their millions of followers.

Twitter confirms internal tools used in bitcoin-promoting attack ...
Scam Social Engineering Tweet sent from Bill Gates' Twitter Account
Twitter quickly reacted to the hack by taking an unprecedented step of temporarily preventing all verified users from tweeting, including yours truly; I was trying to warn people about the attack but my tweets were repeatedly prevented from posting. Before the scam tweets were taken down more than £80,000 ($100,000) was sent to the scam Tweet's advertised Bitcoin address. The FBI is investigating the incident.

How the Twitter Accounts were Compromised
Twitter said hackers had targeted employees with access to its internal systems and "used this access to take control of many highly-visible (including verified) accounts and Tweet on their behalf".  A report by security researcher firm HudsonRock said an advert appeared on a dark web hacker's forum earlier in the week, which offered a service to takeover any Twitter account. The seller said they were able to achieve this by being able to change any Twitter account's linked email address. 

The seller was a group or individual that managed to hack their way into Twitter's backend systems, probably by social engineering Twitter's staff, to gain full administration rights at Twitter. This enabled them to provide their buyers with the opportunity to control any Twitter account and to write those accounts' tweets. Hence this nefarious service being bought and then used to acquire Bitcoin via scam messages.
Hackers posted the view from the Twitter control panel
Security researchers at Hudson Rock spotted Twitter Hack advertisement
Additional Impact?
It is not yet clear whether the hacker(s) stole the Direct Messages (private messages) of the high profile Twitters users, such messages could be used to cause embarrassment and for cyber extortion.  The attack appears to be a quick 'smash and grab' money maker, by both the seller to make a quick buck and by the buyer, who used the service to quickly obtain £80k worth of Bitcoin, rather than anything more sinister or sophisticated. 

Update as of 18th July 2020
Twitter confirmed the perpetrators used its administration tools to orchestrate the attack and had downloaded data from up to eight of the accounts involved, but said none of these accounts was "verified" high profile accounts.  

A New York Times article suggested at least two of the attackers are from England. The attackers successfully manipulated a small number of employees and used their credentials to access Twitter's internal systems

Twitter's statement said "The attackers successfully manipulated a small number of employees and used their credentials to access Twitter's internal systems. We are continuing our investigation of this incident, working with law enforcement, and determining longer-term actions we should take to improve the security of our systems. We're embarrassed, we're disappointed, and more than anything, we're sorry."

Facts Twitter confirmed
  • Attackers were not able to view previous account passwords, as those are not stored in plain text or available through the tools used in the attack.
  • Attackers were able to view personal information including email addresses and phone numbers, which are displayed to some users of our internal support tools.
  • In cases where an account was taken over by the attacker, they may have been able to view additional information. Forensic investigation of these activities is still ongoing.
What the Experts Think
Nigel Thorpe, technical director at SecureAge said the latest Twitter hack exposes the identity and access management vulnerability and the risk of administrator accounts being compromised, leaving data vulnerable. It appears that cybercriminals gained access to Twitter's internal network, then used an admin tool to control the user accounts of prominent individuals and organisations to post fraudulent messages. Using social engineering to gain access to Twitter staff accounts, giving access to data stored in the network.

This incident illustrates the loophole with identity and access management such that if a user account is compromised, data is left unprotected. This loophole can be closed by taking a data-centric approach to security, where information is automatically protected, with authenticated encryption built right into the data. This means that even unencrypted files, when changed or moved, will immediately be encrypted so that, if stolen, they will appear to be garbage to the thief.

A compromised user account still has access to data, but it remains encrypted all the time, even when in use. When copied from its ‘safe’, access-controlled location - even if that's outside the organisation - the data remains encrypted and therefore useless. No ransom, no embarrassing disclosures, no legal action.

Liviu Arsene, Global Cybersecurity Researcher at Bitdefender said with attackers successfully compromising high-profile Twitter accounts that potentially also had two-factor authentication can only point to a coordinated cyberattack at Twitter’s employees and systems. It’s likely this could be a result of attackers exploiting the work-from-home context, in which employees are far more likely to fall prey to scams and spearphishing emails that end up compromising devices and ultimately company systems.

This high-profile Twitter breach could be the result of a spray-and-pray spear-phishing campaign that landed some opportunistic cybercriminals the could potentially be the hack of the year for Twitter. They could have done potentially far more damage. Instead, by delivering a simple Bitcoin scam, we could be looking at attackers that wanted to quickly monetize their access, instead of a highly coordinated and sophisticated operation performed by an APT group.

If this is the case, it’s likely that more companies could potentially be breached as a result of cybercriminals phishing employees. With 50% of organizations not having a plan for supporting and quickly migrating employees and infrastructure to full remote work, we’re probably going to see more data breaches that either exploit employee negligence or infrastructure misconfigurations left behind during the work from home transition.

While large organizations may have strong perimeter security defences, security professionals mostly worry that a potential breach could occur because of attackers exploiting the weakest link in the cybersecurity chain: the human component.

Tony Pepper, CEO of Egress said Twitter has suffered a co-ordinated attack targeting its employees "with access to internal systems and tools" is deeply concerning. However, screenshots obtained from two sources who took over accounts which suggest that this breach was caused by an intentionally malicious insider adds an additional layer of concern and complexity to this saga.

In our 2020 Insider Data Breach, we found that 75% of IT leaders surveyed believe employees have put data at risk intentionally in the past year and this latest breach seems to bear out those beliefs.

So, what can security professionals do to prevent this risk and keep sensitive data out of the reach of malicious threat actors? Organisations have an opportunity to do more by understanding the ‘human layer’ of security, including breach personas and where different risks lie. Technology needs to do more by providing insight into how sensitive data in the organisation is being handled and identifying risks, including human-activated threats.

By spotting the characteristics of a potentially malicious insider and being aware of what they are susceptible to and motivated by, organisations can put the tactics, techniques, and technology in place to mitigate the risk.

Highlighter Super Users Series: Post 1

The Highlighter™ Super Users series is a little something I've put together to reach out to the Highlighter community. As a user of this freeware tool from Mandiant, I want you to know there are many users out there who can help you get through your log analysis paralysis. This series is meant to highlight (see what I did there?) how some users have solved a various range of problems using Highlighter. These interviews will provide insight into the benefits and pitfalls of using Highlighter, some features you may not be aware of, and a few use cases you may not have considered.

Super User Interview #1: Ken Johnson

Ken Johnson is one of Highlighter's Twitter-friendly users. He is a malware analyst and incident responder extraordinaire; fighting evil one keyword search at a time. Known as @patories on Twitter, I reached out to him and asked some questions about his experience using Highlighter.

  1. Name
    Ken Johnson
  2. Realm of work
    My primary work is focused on malware analysis and incident response. Occasionally I also do some forensics work.
  3. How did you hear about Highlighter?
    I first saw Highlighter when I was familiarizing myself with free tools. I have used Memoryze™ previously.
  4. Do you know of any other tools that do what Highlighter does?
    Highlighter is the only tool I know of, and it does what I need so I haven't looked for others.
  5. How do you normally use Highlighter?
    I use Highlighter to trim out known good traffic from proxy logs. This helps get to the unknown stuff quicker. When logs can be multiple gigabytes this is a time saver.
  6. Can you describe one scenario in which Highlighter helped you find evil and/or solve crime?
    On more than one occasion I have used Highlighter to narrow down proxy log traffic to find connections that are malicious. There was an instance about 2 months ago where users fell for a Phish. We used Highlighter to find the C&C IP's that machines kept calling home to, by filtering out what was normal and analyzing what was left. Highlighter helped find almost 50 IP/URLS that were malicious.
  7. On a scale from 1 (worst) to 5 (best), how well does Highlighter address your use case(s)?
    I would have to give Highlighter a 4.
  8. What is missing from Highlighter for your use case(s)?
    I would like to have the ability to whitelist traffic so I do not have to manually keep removing internal hosts that we see. This may be in the program and I have not found it.
  9. What is one Highlighter feature addition that would serve the Information Security community best?
    I think the ability to whitelist hostnames would be a nice addition.
  10. Are you aware of, or have you used, any of the following features:
    • Activity Over Time feature that lets you view log data as a function of Entries Per Day
      No, I was not aware of this one.
    • Ability to change basic font settings for your output
      I know it is there, but for my use this is never used.
  11. Have you ever seen Highlighter used in such a way that your eyeballs melted from all the Awesome?
    I have only seen myself use it, but I have seen my co-workers eyeballs melt when I show them the awesomeness that they can do. Some are still stuck in the grep world...

Keep an eye out for the second post in the Highlighter Super Users Series featuring Russ McRee, author of ISSA Journal's toolsmith series and mastermind behind www.holisticinfosec.org. If you're interested in sharing your own experiences with this tool, please let me know by commenting below.