Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Attacks/Breaches

7/23/2020
04:20 PM
Connect Directly
Twitter
LinkedIn
RSS
E-Mail
100%
0%

Twitter Breach a Reminder of Need to Protect Corporate Social Media Use

Intruders had access to direct messages associated with 36 accounts in last week's attack, social media giant discloses.

Twitter on Wednesday disclosed that the attackers who took over accounts belonging to several high-profile individuals last week managed to access the direct message inbox of at least 36 individuals.

The update further highlights the severity of the breach at Twitter and shows why organizations need to have measures protecting against — and mitigating fallout from — compromises of corporate social media accounts and accounts belonging to their top executives.

"The public figures of a company need a continuous, higher-level awareness of their technology footprint and what it means so issues can be identified more rapidly," says Brandon Hoffman, CISO at security firm Netenrich.

Twitter is investigating a July 15 incident in which attackers somehow managed to gain access to a critical admin panel that allowed them to take over Twitter accounts belonging to 130 individuals, including Joe Biden, Bill Gates, Elon Musk, and former President Barack Obama. The attackers used their access to these accounts to tweet a scam asking individuals to send Bitcoin to a link embedded in the message and get double the amount in return.

Twitter's investigation so far has shown that the attackers sent the Bitcoin tweets from 45 accounts and managed to download detailed Twitter profile information, including tweet history, phone numbers, and other data, from eight of the compromised accounts. 

This week's update now shows the attackers also managed to gain access to the direct message history of 36 of the 130 individuals whose accounts were taken over. Twitter direct messages (DMs), as with other channels, are private. Only the intended recipients are supposed to be able to view a DM.

Twitter has said the attack resulted from a social engineering scheme that targeted several internal employees with access to key internal systems. But questions remain over how the attackers were able to take over so many high-profile accounts so quickly, how they managed to bypass Twitter's multifactor authentication (MFA) protocols, and why even legitimate users had so much control over accounts belonging to top business and political figures.

Security researchers have said the attackers could have done considerably more damage with their access than just sending out obviously fake Bitcoin scam tweets. They have noted how the incident — particularly since it involved high-profile business and political leaders — raises concerns over what would have happened if the attackers had sent out false tweets proclaiming a major business or political development or even a military conflict.

Timely Reminder
The attack is another reminder for organizations to protect access to social media accounts belonging to business leaders and the brand, security experts say. With this particular incident itself, there is little any of the impacted Twitter account holders could have done to prevent the takeover because the breach happened at Twitter. But organizations need to be aware of how a corporate or business leader's social media account could be taken over to damage the brand.

"There are many reasons hackers would want to compromise high-profile social media accounts," says Melody Kaufmann, cybersecurity specialist at Saviynt.

Social media apps like Facebook and Twitter have become powerful platforms for influencing popular opinion and, if compromised, can be used to disseminate false information. Last week's Twitter incident, for instance, involved influential people.

"Malicious and calculated messaging sent on behalf of these individuals, even if proven to be due to hijacking later, could result in everything from impacts on the market to potentially starting global conflicts," Kaufmann says.

Otavio Freire, CTO and co-founder of SafeGuard Cyber, says organizations need to protect social media use because of how critical it has become for the business.

"Direct messages and channel conversations are vital business communications, containing proprietary data and IP," he says. "Organizations must protect these platforms, as they would email, against data leakage and account compromise that will allow bad actors to impersonate executives."

Key Security Controls
The first step toward mitigating data loss or an insider threat on social media is to gain visibility at the app layer, Freire says.

"Specifically, when considering a collaboration app like Slack, whether using the app or accessing the workspace via the browser, you need visibility into messages," he says. "From there, machine learning is a must to process that amount of data in real time." 

Kaufmann advocates that organizations implement MFA to limit the ability of a third party to take over accounts belonging to the brand or key business leaders. In this case, using a mobile application for MFA is more secure than email because a mobile device is more likely to remain with the account holder, she says.

Organizations should also consider limiting the number of individuals who have the ability to make a comment on the social media account to simplify the management of identity, Kaufmann says.

"The final step is to have individuals monitor their high-profile accounts — or have an individual assigned to do so for them — to ensure that content that is put out falls in line with branding," she says.

Such monitoring allows for faster response in contacting the social media outlet before too much damage occurs in the event of a hijacking, Kaufmann adds.

Netenrich's Hoffman says that while technology like two-factor authentication and identity and access management can help restrict access and control how much can be done by any one individual, awareness is also key. In addition to key account holders being aware of their digital presence, organizations should also implement controls for collecting and analyzing telemetry and intelligence from as many quality sources as possible.

Being aware of an issue sooner enables faster response, like resetting or regaining control of a compromised account, deleting posts, or countermanding adversary actions in other ways Hoffman says.

"From an internal perspective, organizations need to train employees on how to spot suspicious activity, especially on mobile devices where it's often more difficult to identify an attack," adds Hank Schless, senior manager of security solutions at Lookout.

Twitter has described last week's incident as stemming from a social engineering attack against its employees.

"Not only do [organizations] need to train employees on how to spot this common tactic, but they also need to implement security tools that cover every potential attack vector," Schless says.

Related Content:

 

 

Register now for this year's fully virtual Black Hat USA, scheduled to take place August 1–6, and get more information about the event on the Black Hat website. Click for details on conference information and to register.

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Oldest First  |  Newest First  |  Threaded View
Manchester United Suffers Cyberattack
Dark Reading Staff 11/23/2020
As 'Anywhere Work' Evolves, Security Will Be Key Challenge
Robert Lemos, Contributing Writer,  11/23/2020
Cloud Security Startup Lightspin Emerges From Stealth
Kelly Sheridan, Staff Editor, Dark Reading,  11/24/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win an Amazon Gift Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-20934
PUBLISHED: 2020-11-28
An issue was discovered in the Linux kernel before 5.2.6. On NUMA systems, the Linux fair scheduler has a use-after-free in show_numa_stats() because NUMA fault statistics are inappropriately freed, aka CID-16d51a590a8c.
CVE-2020-29368
PUBLISHED: 2020-11-28
An issue was discovered in __split_huge_pmd in mm/huge_memory.c in the Linux kernel before 5.7.5. The copy-on-write implementation can grant unintended write access because of a race condition in a THP mapcount check, aka CID-c444eb564fb1.
CVE-2020-29369
PUBLISHED: 2020-11-28
An issue was discovered in mm/mmap.c in the Linux kernel before 5.7.11. There is a race condition between certain expand functions (expand_downwards and expand_upwards) and page-table free operations from an munmap call, aka CID-246c320a8cfe.
CVE-2020-29370
PUBLISHED: 2020-11-28
An issue was discovered in kmem_cache_alloc_bulk in mm/slub.c in the Linux kernel before 5.5.11. The slowpath lacks the required TID increment, aka CID-fd4d9c7d0c71.
CVE-2020-29371
PUBLISHED: 2020-11-28
An issue was discovered in romfs_dev_read in fs/romfs/storage.c in the Linux kernel before 5.8.4. Uninitialized memory leaks to userspace, aka CID-bcf85fcedfdd.