Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Attacks/Breaches

7/16/2020
02:31 PM
Connect Directly
Twitter
LinkedIn
RSS
E-Mail
50%
50%

Twitter Attack Raises Concerns Over its Internal Controls

Attackers temporarily gained control of the accounts of Joe Biden, Barack Obama, Bill Gates, and others, to tweet a bitcoin scam.

Multiple theories have surfaced over how attackers on Wednesday briefly hijacked Twitter accounts belonging to several high-profile individuals—including Democratic presidential hopeful Joe Biden—and used them to tweet a bitcoin scam.

Twitter itself has described the brief takeover as resulting from a social engineering attack on some of its employees, even as a new claim emerged about potential malicious insider involvement in the incident. Meanwhile, Reuters today reported that unnamed sources say the FBI is leading a federal inquiry into the incident.

On Wednesday evening, the Twitter accounts of Biden, former President Barack Obama, Microsoft founder Bill Gates, Tesla CEO Elon Musk, and several dozen other high-profile individuals and companies including Uber and Apple were taken over and used to tweet a bitcoin scam.

The tweets urged individuals to send bitcoin to a specific address contained in the message, with the promise the amount would be sent back to them doubled, if they did so within 30 minutes or one hour. Gate's purported tweet, for example, promised $2,000 to people who sent $1,000 in Bitcoin. Some security vendors estimated the scammers made more than $100,000 before Twitter was able to shut down the caper.

The incident—happening as it did amid questions about social media platforms being used to spread fake news and disinformation—has stoked broad concern.

Security experts have expressed surprise that attackers were able to take over accounts that belonged to arguably some of the most influential people on Twitter and have said the incident raises several serious questions about the social media giant's access control mechanisms. 

Many have questioned the company's use of multi-factor authentication for protecting access to privileged admin accounts and wondered why those mechanisms failed to prevent someone from taking over accounts with literally hundreds of millions of followers between them.

"It's hard to fathom that Twitter employees wouldn't have their own access protected by 2FA, so this raises questions about how it would be possible for a social engineering attack to succeed," said Costin Raiu, director of Kaspersky's global research and analysis team in an emailed comment.

In a series of tweets last evening, Twitter described the incident as resulting from a social engineering attack targeted at some employees with "access to internal systems and tools."

"We know they used this access to take control of many highly-visible (including verified) accounts and Tweet on their behalf," Twitter said. "We're looking into what other malicious activity they may have conducted or information they may have accessed and will share more here as we have it."

The company said that following the attack it had initiated a series of steps to protect its internal systems from further abuse while it investigated what might have happened. In a message, Twitter co-founder and CEO Jack Dorsey articulated his frustration at what some have described as the worst and most serious security failure at the company so far. "Tough day for us at Twitter. We all feel terrible this happened. We're diagnosing and will share everything we can when we have a more complete understanding of exactly what happened."

Andy Ellis, CSO at Akamai, says that in this particular case, the Twitter compromise was through internal user permissions. But similar account takeovers can potentially result via third-party systems and APIs he says. "I think there are many things to take away here," he says.

Account takeovers like this don't always involve someone taking direct control of a system, he says. Sometimes an attacker can gain access to third-party systems like Hootsuite, CoTweet and Dynamic Signal that allow corporate brands and multi-person accounts to delegate some Twitter permissions to them. "Twitter — and other social media companies — support these for a number of reasons, but a primary use case is because that is often what some users want," Ellis says. "For instance, I use an app that allows me to schedule tweets in the future, so I can “live tweet” my own talks," he says.

"In some senses, this attack bears a small similarity to the DNS registrar attacks that the Syrian Electronic Army was known for engaging in; where a compromise of an insider - direct or via social engineering - can cause significant harm by using privileges on the inside," Ellis says.

Companies need to guard against that both by looking at reducing those privileges, and evaluating whether to introduce some some delay or friction in the case of account takeover actions like may have happened here.

Malicious Insider?

Meanwhile, on Thursday, Motherboard described the Twitter account takeovers as being enabled by an insider with admin access to some sort of a control panel that allowed for the accounts to be essentially hijacked. The outlet said it had spoken to two individuals who were allegedly involved in the incident. The outlet reported one of the individuals as saying the insider had "literally done all the work for us." The second told Motherboard the insider was paid to provide the hackers access to the control panel. Motherboard said it had obtained screenshots of the tool that allowed the hackers to change ownership of some accounts and enabled the tweeting of the bitcoin scam.

Twitter did not directly respond to a Dark Reading request for comment on Motherboard's report. A spokesman merely confirmed the investigation was still ongoing, and said the company was committed to sharing whatever it would find. But in comments to Motherboard, a Twitter spokesman said the company was indeed looking into whether an employee had provided the hackers with access to the tool or whether they had been social-engineered into doing it.

"The attack in question was most likely the result of an insider breach," says Kevin O'Brien, CEO of GreatHorn. "The range of accounts compromised included many that had MFA enabled, and the rapid access suggests that the credentials were rapidly changed or accessed via internal administrative tools."

O'Brien predicts that Twitter's investigation will show that this was likely a multi-step attack that involved phishing or business email compromise to gain initial access, after which they used the access to execute the bitcoin scam itself. "No system is perfect, but Twitter will hopefully examine and enhance its security, especially with respect to the initial attack vector," O'Brien says.

Multiple Questions

Morey Haber, CTO and CISO at BeyondTrust, pointed to several other issues raised by the incident. Among them were questions about how Twitter might have protected the tool that provided access to the compromised account and why such a tool even existed in the first place. The incident also raises questions about what other access the attackers had, how they are going to safeguard the tool in future, and whether the threat actors now have the ability to use it for future attacks, Haber said in a statement.

The Twitter incident is also likely to do little to allay concerns about social media platforms being misused for potentially far more damaging purposes.

"Within the security community, there is significant discussion underway as to whether the bitcoin tweets themselves were a so-called 'false flag' attack," says O'Brien. The apparent fact that the attackers did not use the stolen access beyond what was ultimately an amateurish cryptocurrency scam is suspicious, he says. 

"Concerns include whether other high-level government or business profiles were compromised, and whether direct messages and sensitive information was stolen or exchanged while the far more public Bitcoin scam was simultaneously occurring," he says. "Evidence remains scarce, but more will likely come as the details are revealed.”

At least one lawmaker has expressed similar concerns already. In a letter to Twitter's Dorsey Wednesday, Sen. Josh Hawley (R-MO) wondered if the attack had threatened the security of President Trump's Twitter account and those of others whose accounts might not necessarily have been used in the Bitcoin scam.

"Did this event represent a breach of users' own account security or of Twitter's systems?" Hawley asked. "Did this breach compromise the account security of users whose accounts were not used to share fraudulent posts? If so, how many accounts were affected? Were all accounts' security compromised by this breach?"

Hawley urged Dorsey to get in touch immediately with the FBI and the US DOJ and get their help in securing Twitter against similar attacks.

Related Content:

Register now for this year's fully virtual Black Hat USA, scheduled to take place August 1–6, and get more information about the event on the Black Hat website. Click for details on conference information and to register.

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
COVID-19: Latest Security News & Commentary
Dark Reading Staff 8/3/2020
Pen Testers Who Got Arrested Doing Their Jobs Tell All
Kelly Jackson Higgins, Executive Editor at Dark Reading,  8/5/2020
Exploiting Google Cloud Platform With Ease
Dark Reading Staff 8/6/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
Special Report: Computing's New Normal, a Dark Reading Perspective
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
The Changing Face of Threat Intelligence
The Changing Face of Threat Intelligence
This special report takes a look at how enterprises are using threat intelligence, as well as emerging best practices for integrating threat intel into security operations and incident response. Download it today!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-16219
PUBLISHED: 2020-08-07
Delta Electronics TPEditor Versions 1.97 and prior. An out-of-bounds read may be exploited by processing specially crafted project files. Successful exploitation of this vulnerability may allow an attacker to read/modify information, execute arbitrary code, and/or crash the application.
CVE-2020-16221
PUBLISHED: 2020-08-07
Delta Electronics TPEditor Versions 1.97 and prior. A stack-based buffer overflow may be exploited by processing a specially crafted project file. Successful exploitation of this vulnerability may allow an attacker to read/modify information, execute arbitrary code, and/or crash the application.
CVE-2020-16223
PUBLISHED: 2020-08-07
Delta Electronics TPEditor Versions 1.97 and prior. A heap-based buffer overflow may be exploited by processing a specially crafted project file. Successful exploitation of this vulnerability may allow an attacker to read/modify information, execute arbitrary code, and/or crash the application.
CVE-2020-16225
PUBLISHED: 2020-08-07
Delta Electronics TPEditor Versions 1.97 and prior. A write-what-where condition may be exploited by processing a specially crafted project file. Successful exploitation of this vulnerability may allow an attacker to read/modify information, execute arbitrary code, and/or crash the application.
CVE-2020-16227
PUBLISHED: 2020-08-07
Delta Electronics TPEditor Versions 1.97 and prior. An improper input validation may be exploited by processing a specially crafted project file not validated when the data is entered by a user. Successful exploitation of this vulnerability may allow an attacker to read/modify information, execute a...