CyberArk Security Research Team Leader Nir Chako unpacks how the Twitter attack deployed social engineering, and, what it reveals about human nature…
By Nir Chako
Last month Twitter suffered a breach that compromised numerous celebrity and politicians’ accounts. These included former US president Barak Obama, former vice president and current presidential candidate Joe Biden, Amazon CEO Jeff Bezos, and Tesla CEO Elon Musk.
While investigations are ongoing, Twitter reported it was the victim of a “coordinated social engineering attack.” The company confirmed that criminals targeted and successfully manipulated a small group of employees, using their credentials to gain unauthorised access to an administrative tool “only available to internal support teams.” Using these tricks, the attackers were then able to hijack Twitter accounts and post messages to dupe social media users into sending bitcoin payments to fraudulent causes.
Originally thought to be the work of experienced nation-state attackers, it now appears the attack was conducted by a relatively unsophisticated group of hackers motivated by financial gain.
Social engineering attacks are effective because all cyber-attackers are experts at using human psychology to their advantage. They know how to use psychological manipulation to convince a person to take action or divulge sensitive information.
We witnessed something similar at the beginning of August, when a number of high-profile YouTube channels were hacked. Attackers managed to gain access to channels, change their names and post live broadcasts of leading YouTube trends to attract many viewers. These broadcasts were designed to incorporate a message that promised to double the amount of bitcoin that viewers sent to the channel’s owners.
These cyber-attacks on Twitter and YouTube highlight the dangers of unsecured privileged access to critical applications. It is a reminder of how quickly any credential or identity can have privileges associated with it under certain conditions. If not properly secured, criminals can use them to access critical assets – currency, intellectual property, sensitive client records, and more – causing irreparable harm to business.
Deconstructing the Twitter Attack
To assess how businesses can defend against cyber-attacks like these, it is important to understand how this type of attack usually happens. Here is a probable explanation of how the Twitter attack took place.
1. Conduct reconnaissance. It is likely that the attackers searched social media profiles to pinpoint members of Twitter’s internal support team – specifically system admins who likely had access to the internal platform.
2. Coerce Twitter employees. Using personal information obtained from the intelligence work in the previous step, the attackers piled on at least one Twitter employee and obtained access rights to Twitter’s Slack channel – an instant messaging system used by organisations for internal communication between employees. Access to the company’s channel was secured by using a spear-phishing attack – a social engineering attack targeting a specific person – to target their smartphone and verify the employee’s attempt to connect to the channel on this device, circumventing two-factor authentication (2FA).
It was reported that several days after gaining access to the channel, the hacker found credentials allowing him to access to the company’s internal management system, apparently in a conversation between the employees.
3. Gain access to the target system. Using these credentials, the attackers were able to either directly access Twitter’s internal admin platform or to move laterally and escalate privileges until they could access the system. By using legitimate credentials, they could operate under the radar without being discovered.
1. Compromise Twitter accounts. With control of the internal platform, the attackers targeted 130 accounts and successfully compromised 45 by changing their associated emails without notifying their owners. If multi-factor authentication (MFA) was in place on an account, the attackers probably disabled this layer of security and then issued a password change, which was sent to the new email address.
2. Coerce Twitter users. Using the new passwords, the attackers began uploading posts to the Twitter accounts they had taken over. This is where the second use of social engineering in the attack became evident. The hackers published posts in which they wrote “I am interested in giving back to the community. Any bitcoin sent to me will be refunded in double amount. This offer is only relevant for the next half hour!”
The fact these tweets were posted by influential and well-known figures whose accounts are verified by Twitter instantly made them appear more legitimate to the accounts’ followers. Moreover, the fact that similar messages were published from several different reliable sources reinforced the feeling that this was not a conspiracy. Add to that the introduction of a limited time frame to create a sense of urgency for users, and you have the recipe for an influx of bitcoin.
3. Cash in. In just three hours, the fraudsters collected USD118,000 in what the New York Times called “one of the most brazen online attacks in memory.”
Six steps for mitigating risk of a social engineering attack
Humans will always make mistakes. This means that cyber-security measures will always be attack-resistant, not attack-proof. That said, there are steps your organisation can take to significantly lower attackers’ success rates.
Raise awareness. Ongoing employee education and training on cybersecurity best practices, including how to spot a spoof, is a vital first step. Remember, urgent requests for payment or sensitive information should always require validation.
Use strong passwords. As many employees continue to work from home, strong password policies are more important than ever. Start with the basics: use strong passwords, don’t use them for multiple accounts, don’t share them, and don’t save them in browsers.
Prioritise Privileged Access Management (PAM). Privileged access is the route to your most critical assets. One of the best proactive ways to reduce risk is to use strong PAM controls like the principle of least privilege to prevent credential theft, block lateral and vertical movement, and stop privilege escalation and abuse. The Twitter attack should have every security leader asking right now: how are we identifying what our most critical systems, data, and infrastructure are? And who has access? Who is considered a privileged user? What steps are we taking to manage, monitor and protect that access?
Create a conditional access policy that mandates MFA. Based on Microsoft studies, an account is more than 99.9% less likely to be compromised if MFA is in place. Think of it this way: single factor authentication is a single point of failure. With conditional access, if a user wants to access a sensitive resource, then it must first perform MFA to reach it. This approach also helps organisations balance security and productivity better.
Use dual control systems. No employee should have full access to sensitive platforms without multiple layers of security. For example, when a user tries to access a sensitive system, a request is created and must be confirmed by a second authorised user. It is similar to the military’s “two-person concept,” designed to prevent malicious or accidental missile launches.
Monitor and respond to anomalous activity. By continuously monitoring privileged sessions and using analytics tools to automatically identify risky behaviour or anomalous activity, your SOC team should be alerted immediately when something goes wrong.
The Twitter attack exemplifies the struggle many organisations face; how to best secure the high number of identities that require privileged access to sensitive systems. There’s a critical need for an approach to privileged access management that reduces risk, makes security teams’ lives easier by using automation, and empowers users to do their jobs as efficiently as possible.
Businesses that do not put the required measures into place are teasing cyber-attackers, and should expect similar consequences to those Twitter suffered.
(Ed. Featured image by Photographer Pixabay.)