Multiple theories have surfaced over how attackers on Wednesday briefly hijacked Twitter accounts belonging to several high-profile individuals—including Democratic presidential hopeful Joe Biden—and used them to tweet a bitcoin scam.
Twitter itself has described the brief takeover as resulting from a social engineering attack on some of its employees, even as a new claim emerged about potential malicious insider involvement in the incident. Meanwhile, Reuters today reported that unnamed sources say the FBI is leading a federal inquiry into the incident.
On Wednesday evening, the Twitter accounts of Biden, former President Barack Obama, Microsoft founder Bill Gates, Tesla CEO Elon Musk, and several dozen other high-profile individuals and companies including Uber and Apple were taken over and used to tweet a bitcoin scam.
The tweets urged individuals to send bitcoin to a specific address contained in the message, with the promise the amount would be sent back to them doubled, if they did so within 30 minutes or one hour. Gate's purported tweet, for example, promised $2,000 to people who sent $1,000 in Bitcoin. Some security vendors estimated the scammers made more than $100,000 before Twitter was able to shut down the caper.
The incident—happening as it did amid questions about social media platforms being used to spread fake news and disinformation—has stoked broad concern.
Security experts have expressed surprise that attackers were able to take over accounts that belonged to arguably some of the most influential people on Twitter and have said the incident raises several serious questions about the social media giant's access control mechanisms.
Many have questioned the company's use of multi-factor authentication for protecting access to privileged admin accounts and wondered why those mechanisms failed to prevent someone from taking over accounts with literally hundreds of millions of followers between them.
"It's hard to fathom that Twitter employees wouldn't have their own access protected by 2FA, so this raises questions about how it would be possible for a social engineering attack to succeed," said Costin Raiu, director of Kaspersky's global research and analysis team in an emailed comment.
In a series of tweets last evening, Twitter described the incident as resulting from a social engineering attack targeted at some employees with "access to internal systems and tools."
"We know they used this access to take control of many highly-visible (including verified) accounts and Tweet on their behalf," Twitter said. "We're looking into what other malicious activity they may have conducted or information they may have accessed and will share more here as we have it."
The company said that following the attack it had initiated a series of steps to protect its internal systems from further abuse while it investigated what might have happened. In a message, Twitter co-founder and CEO Jack Dorsey articulated his frustration at what some have described as the worst and most serious security failure at the company so far. "Tough day for us at Twitter. We all feel terrible this happened. We're diagnosing and will share everything we can when we have a more complete understanding of exactly what happened."
Andy Ellis, CSO at Akamai, says that in this particular case, the Twitter compromise was through internal user permissions. But similar account takeovers can potentially result via third-party systems and APIs he says. "I think there are many things to take away here," he says.
Account takeovers like this don't always involve someone taking direct control of a system, he says. Sometimes an attacker can gain access to third-party systems like Hootsuite, CoTweet and Dynamic Signal that allow corporate brands and multi-person accounts to delegate some Twitter permissions to them. "Twitter — and other social media companies — support these for a number of reasons, but a primary use case is because that is often what some users want," Ellis says. "For instance, I use an app that allows me to schedule tweets in the future, so I can “live tweet” my own talks," he says.
"In some senses, this attack bears a small similarity to the DNS registrar attacks that the Syrian Electronic Army was known for engaging in; where a compromise of an insider - direct or via social engineering - can cause significant harm by using privileges on the inside," Ellis says.
Companies need to guard against that both by looking at reducing those privileges, and evaluating whether to introduce some some delay or friction in the case of account takeover actions like may have happened here.
Meanwhile, on Thursday, Motherboard described the Twitter account takeovers as being enabled by an insider with admin access to some sort of a control panel that allowed for the accounts to be essentially hijacked. The outlet said it had spoken to two individuals who were allegedly involved in the incident. The outlet reported one of the individuals as saying the insider had "literally done all the work for us." The second told Motherboard the insider was paid to provide the hackers access to the control panel. Motherboard said it had obtained screenshots of the tool that allowed the hackers to change ownership of some accounts and enabled the tweeting of the bitcoin scam.
Twitter did not directly respond to a Dark Reading request for comment on Motherboard's report. A spokesman merely confirmed the investigation was still ongoing, and said the company was committed to sharing whatever it would find. But in comments to Motherboard, a Twitter spokesman said the company was indeed looking into whether an employee had provided the hackers with access to the tool or whether they had been social-engineered into doing it.
"The attack in question was most likely the result of an insider breach," says Kevin O'Brien, CEO of GreatHorn. "The range of accounts compromised included many that had MFA enabled, and the rapid access suggests that the credentials were rapidly changed or accessed via internal administrative tools."
O'Brien predicts that Twitter's investigation will show that this was likely a multi-step attack that involved phishing or business email compromise to gain initial access, after which they used the access to execute the bitcoin scam itself. "No system is perfect, but Twitter will hopefully examine and enhance its security, especially with respect to the initial attack vector," O'Brien says.
Morey Haber, CTO and CISO at BeyondTrust, pointed to several other issues raised by the incident. Among them were questions about how Twitter might have protected the tool that provided access to the compromised account and why such a tool even existed in the first place. The incident also raises questions about what other access the attackers had, how they are going to safeguard the tool in future, and whether the threat actors now have the ability to use it for future attacks, Haber said in a statement.
The Twitter incident is also likely to do little to allay concerns about social media platforms being misused for potentially far more damaging purposes.
"Within the security community, there is significant discussion underway as to whether the bitcoin tweets themselves were a so-called 'false flag' attack," says O'Brien. The apparent fact that the attackers did not use the stolen access beyond what was ultimately an amateurish cryptocurrency scam is suspicious, he says.
"Concerns include whether other high-level government or business profiles were compromised, and whether direct messages and sensitive information was stolen or exchanged while the far more public Bitcoin scam was simultaneously occurring," he says. "Evidence remains scarce, but more will likely come as the details are revealed.”
At least one lawmaker has expressed similar concerns already. In a letter to Twitter's Dorsey Wednesday, Sen. Josh Hawley (R-MO) wondered if the attack had threatened the security of President Trump's Twitter account and those of others whose accounts might not necessarily have been used in the Bitcoin scam.
"Did this event represent a breach of users' own account security or of Twitter's systems?" Hawley asked. "Did this breach compromise the account security of users whose accounts were not used to share fraudulent posts? If so, how many accounts were affected? Were all accounts' security compromised by this breach?"
Hawley urged Dorsey to get in touch immediately with the FBI and the US DOJ and get their help in securing Twitter against similar attacks.
- Cryptocurrency Scam Spreads Across High-Profile Twitter Accounts
- Twitter Says Business Users Were Vulnerable to Data Breach
- Social Media: Corporate Cyber Espionage's Channel of Choice
- 7 Tips for Effective Deception
Register now for this year's fully virtual Black Hat USA, scheduled to take place August 1–6, and get more information about the event on the Black Hat website. Click for details on conference information and to register.