On Wednesday, July 15, the Twitterverse was ablaze with what Twitter itself has described as a “coordinated social engineering attack” that was launched at around 4pm ET. The outcome of this breach was compromised Twitter accounts of many well-known people and organizations, including Jeff Bezos, Elon Musk, Bill Gates, former President Barack Obama, Joe Biden, Uber and many others. The malicious attackers had posted on these accounts that they would return double the amount of money sent to several Bitcoin addresses, duping some of their followers.

Insider Threats Are Lurking

Twitter stated that it was a social engineering attack, but let’s put that term into some perspective. There are four (4) types of insider threats that all organizations, such as Twitter, generally face.

First, there’s the malicious insider who takes advantage of their access to systems to plan an attack and inflict harm on their organization. The second type of insider threat is the complicit insider who also uses their access to cause damage and engage in the malicious activity, but may not be actively involved in the planning. It’s like a security guard at a bank who disables the alarm or opens the safe for the bad guys to grab the cash.

Next, we have the deceived insider who was duped into providing access to attackers, whether it was through a social engineering attack, malware or some other technique. Malicious hackers often perform Open-Source Intelligence (OSINT) gathering, where they choose their targets very carefully and spend time scouring social networks and other information sources to compromise them.

Lastly, we have insider threats that don’t fit nicely in the above categories, but are still due to using an employee’s or contractor’s access to cause harm. For example, a malicious attacker may plug into a live port in an organization’s network to wreak havoc.

With Great Power…

Although Twitter has stated that it was a coordinated social engineering attack, there are still a number of ongoing investigations to determine who are the attackers and how the breach was conducted. However, the bigger question to ask, and one that all organizations need to ask themselves, is why does this level of access and permissions to user accounts exist in the first place? Why do Twitter employees need the access and ability to post to user accounts, especially verified accounts such as Kayne West’s? If this level of access did not exist, then this type of attack may not have been possible.

In addition, the malicious hackers seemed to have been able to change the email address of any Twitter account through Twitter’s administrator tools, without any notifications sent to the users. You can understand why Twitter administrators would need the power and functionality to change email addresses for accounts, but should there have been user behavior security alerts when an X number of email addresses are changed within a Y amount of time? To go further, it may make sense to set a hard limit of a just a few account changes per administrator per day for more strict security controls.

Dangers of Remote Working – More than Your Cat Jumping on Your Keyboard

An even more poignant question is whether the expansion of remote working by organizations due to the COVID-19 pandemic can play a role in the relaxation of security controls. With many administrators, employees and contractors working from home and away from the office, organizations have had to pivot to accommodate remote access which may result in new vulnerabilities. Chief information security officers (CISOs) and their cybersecurity teams will need to re-evaluate the controls they may have relaxed to enable the virtual office.

Dodged the Proverbial Bullet

If a week ago, someone came to you with a movie script that read like the events that have unfolded with this Twitter attack, you would have immediately questioned whether it was realistic. Given the brazenness of high-profile account takeovers, the many obstacles to pull off such an attack and the realm of possibility of the damage and destruction that could’ve occurred, we can be thankful that the outcome was not much worse.

According to public records of the cryptocurrency transactions, the attackers were able to gain about $118,000 USD, which is – in most experts’ minds – a minor haul for such a major breach. You can imagine the impact that could’ve been made to markets, public safety and more. The payload was amateurish, but the compromise itself is a wake-up call for all organizations.

(Relatively) Low Cost Learning Experience

There’s much we can learn from this attack to help prevent similar breaches from insider threats in any organization.

  • Conduct Adversary Simulation and Control Tuning as soon as possible. Even if you have done them recently, circumstances in the new world normal have changed, so it’s time to evaluate the impact of these changes. The day after this Twitter attack, a CISO at a large, multinational enterprise jokingly said he was excited that Bill Gates helped fund his budget need for this simulation and tuning. (As mentioned earlier, Bill Gate’s Twitter account was one of the many compromised.)
  • Model the expected behaviors of employees and contractors, and set user behavior alerts for abnormal activity.
  • Review your employees’ and contractors’ level of access and thoroughly question what levels of permissions are really needed for their work.
  • Re-evaluate any relaxation of security controls to enable remote working due to the COVID-19 pandemic.
  • Have your employees and contractors enable two-factor authentication and regularly change their passwords using long and complex formats.
  • Ensure users know how to properly report suspicious activity to your security team.
  • Conduct continual cybersecurity awareness training and testing to track behaviors to training.
  • Use only work-approved and encrypted platforms to communicate confidential information. Do not use social media chats for sensitive conversations.
Learn more about X-Force Red adversary simulation, control tuning and social engineering services

More from Advanced Threats

Hive0051 goes all in with a triple threat

13 min read - As of April 2024, IBM X-Force is tracking new waves of Russian state-sponsored Hive0051 (aka UAC-0010, Gamaredon) activity featuring new iterations of Gamma malware first observed in November 2023. These discoveries follow late October 2023 findings, detailing Hive0051's use of a novel multi-channel method of rapidly rotating C2 infrastructure (DNS Fluxing) to deliver new Gamma malware variants, facilitating more than a thousand infections in a single day. An examination of a sample of the lures associated with the ongoing activity reveals…

GootBot – Gootloader’s new approach to post-exploitation

8 min read - IBM X-Force discovered a new variant of Gootloader — the "GootBot" implant — which facilitates stealthy lateral movement and makes detection and blocking of Gootloader campaigns more difficult within enterprise environments. X-Force observed these campaigns leveraging SEO poisoning, wagering on unsuspecting victims' search activity, which we analyze further in the blog. The Gootloader group’s introduction of their own custom bot into the late stages of their attack chain is an attempt to avoid detections when using off-the-shelf tools for C2…

Black Hat 2022 Sneak Peek: How to Build a Threat Hunting Program

4 min read - You may recall my previous blog post about how our X-Force veteran threat hunter Neil Wyler (a.k.a “Grifter”) discovered nation-state attackers exfiltrating unencrypted, personally identifiable information (PII) from a company’s network, unbeknownst to the security team. The post highlighted why threat hunting should be a baseline activity in any environment. Before you can embark on a threat hunting exercise, however, it’s important to understand how to build, implement and mature a repeatable, internal threat hunting program. What are the components…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today