On July 15, we saw the same Tweet posted on several high-profile accounts, including those of Barack Obama, Joe Biden, Bill Gates and Elon Musk. The tweet “I am giving back to the community. All Bitcoin sent to the address below will be sent back doubled! If you send $1000, I will send back $2000. Only doing this for 30 minutes,” had a reach of more than 350 million users and resulted in the collection of £86,800 in stolen ‘donations’ within hours.
Turned out, it was all a scam. Twitter reported that it fell victim to a “coordinated social engineering attack” which led to the compromise of a group of employee credentials. Those credentials were then used to gain unauthorized access to an administrative tool to take over end-user accounts. However, it was widely speculated that an insider threat was responsible for the attack. According to Motherboard, two of the attackers claimed that they bribed a Twitter employee for access to the control panel.
Whether it was social engineering or an attack from the inside, the Twitter hack highlights the potential damage unauthorized access can do.
The Dangers of Unsecured Privileged Access
In Twitter’s case, it gave employees privileged access to an administrative tool so they could respond to customer service queries and moderate content. It is believed that hundreds of Twitter employees have access to it, which raised some security questions – why did so many employees have access to verified accounts? Who had back-end access to the administrative tool? How could anyone easily alter trusted accounts without any approval?
Widely granting such privileged access created multiple vulnerability points for Twitter. Separating responsibilities and duties can help move beyond a single point of failure as it requires more than one person to perform an action. Another way to handle privileged access is through delegation. Custom delegation groups should be in place to set privileges at the lowest level required for the employee’s responsibility. For example, common helpdesk tasks, such as unlocking accounts, and resetting passwords, do not require full administrative control over an Organizational Unit.
Beware of Insider Threats
Employees, contractors, service providers and other insiders are in an opportune position to compromise data. According to this Insider Threat report, insider threats account for 60% of cyber-attacks. Privileged users, such as managers with access to sensitive information, pose the biggest insider threat to organization’s. Whether the Twitter hack was caused by a malicious insider or a group of unsuspecting employees, it is apparent that an insider was involved.
Regardless of intent, here are some effective measures for stopping insider threats:
- Know where your sensitive data is and who has access to it. By identifying your most important assets, you can predict where problems are most likely to occur and employees most likely to be targeted
- Implement security controls. Administrator privileges should only be granted to users performing tasks that span across Active Directory domains, or activities that require elevated permissions. stale admin accounts should be deleted as they can be used to access resources without being noticed
- Establish a baseline of normal employee behaviors and set up alerts for when behaviors deviate from this norm such. Abnormal behaviors include unauthorized downloading or copying of sensitive data, and accessing data unrelated to their jobs and logging into your network at odd hours
Do You Know How Many Admin Accounts You Have?
The details of how the Twitter hack happened are still coming out, but it highlights how scary it can be for outsider actors to get their hands on admin access accounts. What could they do with access to an admin account in your organization? Do you know how many admin accounts you have?
You can use this free Active Directory auditing tool, Specops Password Auditor, to identify security weaknesses related to user accounts. With a quick scan, you can identify:
- Admin accounts: Use this report to identify whether admin privileges are used appropriately (granted to users performing tasks that span across Active Directory domains, or activities that require elevated permissions)
- Stale admin accounts: Use this report to audit dormant accounts
Other available insights include accounts using known-breached passwords, accounts with expired or soon-to-be expired passwords and more.
You can export those findings to a free PDF report which include an overall vulnerability score, the risk levels for each vulnerability and advise on how to fix each issue.
Click here to start your Active Directory audit.