In this blog, let’s take a look at what is sure to be one of the biggest information security events of 2020: The Twitter Hack. While it is still very early and details are still coming out, lets take a quick look at what we know so far and some lessons we should learn from it.
What We Know about the Twitter Hack
On July 16th, 2020 attackers targeted 130 user accounts on Twitter. These included many high profile accounts including Barack Obama, Elon Musk, Jeff Bezos, Joe Biden, Warren Buffet, and Michael Bloomberg. The attackers used these accounts to send out a message asking for users to send bitcoins in a plea to give back to the community. An analysis of the the BTC wallet for the 24 hours after the attack shows that the account processed 383 transactions and received 17 bitcoin (approximately $117,000). Twitter quickly released a statement saying that it was the result of “a coordinated social engineering attack by people who successfully targeted some of our employees with access to internal systems and tools. We know they used this access to take control of many highly-visible (including verified) accounts and Tweet on their behalf. We’re looking into what other malicious activity they may have conducted or information they may have accessed and will share more here as we have it.” Krebs on Security further found out that “the way the attack worked was that within Twitter’s admin tools, apparently you can update the email address of any Twitter user, and it does this without sending any kind of notification to the user, so [the attackers] could avoid detection by updating the email address on the account first, and then turning off 2FA.”
The Impact of the Hack
All things considered, the impact seems to be relatively minimal. The attack seems to be purely financially motivated, resulting in the attacker receiving bitcoin from people trying to donate to the community. While this is a massive embarrassment for Twitter, things could have been a lot worse. One of the most significant implications could have been if they used these accounts to try to impersonate the user. Twitter is used for politics, business announcements, financial advice, etc. Hypothetically, the attackers could have sent a message from Warren Buffet’s account to cause a financial sell-off or used Joe Biden’s account to have a drastic impact on the upcoming election. While it is not yet clear if we know everything at this point, it is clear that the attackers could have caused ramifications far beyond a simple BTC scam.
Quick Lessons Learned
It is important that we are constantly learning and adapting to the security landscape. As such, it is important that we pull out lessons learned from major incidents like this, with the caveat that we do not have all the information yet, of course. From what we do know, social engineering is how the attacker gained their initial foothold. This is not surprising, as the Verizon Data Breach Investigation Report (DBIR) has, for years, reported that 90% of all data breaches incorporate social engineering. The best way to protect yourself is with a robust security awareness training program and regular social engineering campaigns to evaluate the training’s effectiveness, not an off-the-shelf computer-based training no one pays attention to.
Further, we know that once the attacker gained access through social engineering, they either had direct access to the Twitter admin tools or were able to elevate their permissions to someone who had access to the admin tools. This brings to mind two things. First, an internal penetration test is an effective way for you to evaluate if there are vulnerabilities on your network that would allow an attacker to elevate from initial access to administrative rights on the network. Second, while we don’t know how Twitter’s domain accounts are set up, you should take a minute to ensure you are following the principal of least privilege with your domain users and groups. The principal of least privilege states that users have the minimum permissions necessary to perform their job. Think about your organization’s “admin tools” or whatever assets that you need to protect. Who has access to these interfaces and the information contained? Does anyone have access that does not need it or do users have more rights than they should? Has anyone switched departments recently, and if so, were there former permissions removed?
Reviewing and thinking about these things can provide a quick “health check” for your organization in wake of the recent Twitter hack. If you get answers to any of those items that make you a little uneasy, it may be time to re-evaluate your security practices and see if there are areas for improvement.