A 17-year-old was apparently the ringleader of a trio of young hackers behind the July hijacking of dozens of high-profile Twitter accounts. Not even old enough to rent a car, the hackers perpetrated a Bitcoin scam that caused the cyber world to take a good look at how a motley band of mere youths could bypass the robust cybersecurity protocols of one of the world’s largest tech companies. Inspired by the hack, copycats are now using the same tactics to target dozens of other companies.
There must be something fundamentally wrong with account security given such an attack on a global tech giant with top-notch security practices by penetrating what should have been the highest level of permissions to critical internal systems through psychological manipulation tactics known as social engineering.
The fundamental flaw is our reliance on passwords, which in turn rely on human beings to remember and manage in order to guard against threats.
The anatomy of the Twitter scam: A classic case of privileged account takeover
As a global tech leader, Twitter employs the kinds of robust security practices one would expect including: Privileged Access Management (PAM) protocols, multi-factor authentication (MFA), zero tolerance for misuse of credentials or tools, active monitoring for misuse, and regular permission audits
Still, in mid-July, a series of high-profile Twitter accounts tweeted out requests for Bitcoin donations. Apple, Uber, former President Barack Obama, Presidential nominee Joe Biden, Bill Gates, Kim Kardashian-West, and Elon Musk— were just a few of the compromised accounts
While the final assault (the Bitcoin scam) caused a media frenzy, it’s actually the initial catalyst of the fraud that should be of highest concern for other companies. Through the seemingly incredulous means of a phone call, the fraudsters tricked a small group of Twitter employees to hand over their credentials to access Twitter’s internal systems.
The highly-targeted spear-phishing attack ultimately enabled the attacks access to masquerade as legitimate access-holder and bypass two-factor authentication protections to ultimately take over the VIP user accounts.
To succeed, hackers needed to obtain access to both Twitter’s internal networks and specific employee credentials to gain access to internal support tools.
Once the cyber-criminals figured out which employees had privileged access, they targeted those specific employees to access account support tools. Hijacking these tools, the attackers then targeted 130 high-profile Twitter accounts.
The attackers were able to initiate a password reset for 45 of those accounts, enabling them to log in to the accounts, and tweet away on the handle of the rich and famous, urging the public to send their bitcoin to fraudulent websites. In total, the scammers managed to receive the cash equivalent of $121,000 in bitcoin payments.
Current tools cannot counteract the insider threat
In the wake of the Twitter scam, strong suspicions emerged that a malicious insider had been involved. Not just a concern for high-profile organizations, all companies face malicious insiders - a particularly challenging threat to protect against. After all, an organization can't function without a certain amount of trust when it comes to their own employees.
In recent years, multiple incidents involving malicious insiders have been reported. Some were personally motivated. For example, Facebook employees used their privilege to access user data to stalk women and Snapchat workers had abused a tool called SnapLion that provided information on users. Some are financially driven as in the case of the 2019 Capital One insider attack that compromised personal data of 100 million customers.
Finally, some are politically motivated, demonstrated in the recent rise of state actors and spy operations targeting tech giants in Silicon Valley and Twitter employees found last year spying on users on behalf of the Saudi regime.
While Privileged Access Management has changed the way enterprises protect access to critical applications and therefore organization-wide security, they are not foolproof. Even with a strong combination of security tools like Data Loss Prevention (DLP), real-time access monitoring, and zero-trust methodologies, the very existence of privileged accounts is a huge liability. The consequences of privileged identity exposure are potentially catastrophic, as the Twitter hack demonstrated.
Defending accounts in the cloud era
Corporate account takeover can have huge ramifications in today's interconnected world amid the growing prevalence of enterprise cloud services. The Twitter hack is a prime example of the multiple levels of damage that account takeover attacks can have.
Shortly after Twitter's incident response team became aware of the ongoing situation, pre-emptive measures were taken to restrict functionality for many verified accounts on Twitter. The quick response may have seemed dramatic, but it granted Twitter reasonable success in minimizing the damage. However, most companies have nowhere near the resources of the social media giant when it comes to damage control, technically or in terms of public relations.
A similar, or even much simpler attack on a smaller firm can have devastating consequences, even if their whole operation is cloud-based. In fact, some 70% of organizations using public cloud services reportedly experienced a security incident in the past year while the average time to identify and contain a breach is 280 days.
In our increasingly cloud-based economy, many organizations tend to blindly trust the default security level their cloud providers offer, unfortunately without a good enough reason.
As long as humans are involved, breaches are inevitable
While Twitter continually updates and improves its tools, controls, and processes, the July attack succeeded anyways, because it targeted the weakest element in any security regime: humans.
The attack relied on exploiting human vulnerabilities to gain access to Twitter's internal systems. The attackers succeeded at manipulating a small number of employees and hijacked their credentials to access Twitter's internal systems, including bypassing two-factor protections to initiate a password reset.
Twitter has pledged to address the threat of phishing with multiple company-wide exercises, however that is a band-aid approach that does not eliminate the reliance on human beings to defend against what could otherwise be preventable cyber threats. Phishing campaigns succeed for one simple reason: they target one fundamental vulnerability – the password.
The very existence of passwords means that there will always be a target for phishers, but removing passwords from the picture and replacing them with passwordless authentication mechanisms means eliminating the threat of phishing at its root.
There is no reason to continue to use fundamentally vulnerable passwords for personal use, for corporate accounts and especially for sensitive, privileged accounts.
Join our webinar looking back at the Twitter hack, with speakers Andrew Hay and Lior Kohavi from Cyren, on October 15th at 3pm BST/10am EDT. Register here.