On Wednesday, July 15, the Twitterverse was ablaze with what Twitter itself has described as a “coordinated social engineering attack” that was launched at around 4pm ET. The outcome of this breach was compromised Twitter accounts of many well-known people and organizations, including Jeff Bezos, Elon Musk, Bill Gates, former President Barack Obama, Joe Biden, Uber and many others. The malicious attackers had posted on these accounts that they would return double the amount of money sent to several Bitcoin addresses, duping some of their followers.

Insider Threats Are Lurking

Twitter stated that it was a social engineering attack, but let’s put that term into some perspective. There are four (4) types of insider threats that all organizations, such as Twitter, generally face.

First, there’s the malicious insider who takes advantage of their access to systems to plan an attack and inflict harm on their organization. The second type of insider threat is the complicit insider who also uses their access to cause damage and engage in the malicious activity, but may not be actively involved in the planning. It’s like a security guard at a bank who disables the alarm or opens the safe for the bad guys to grab the cash.

Next, we have the deceived insider who was duped into providing access to attackers, whether it was through a social engineering attack, malware or some other technique. Malicious hackers often perform Open-Source Intelligence (OSINT) gathering, where they choose their targets very carefully and spend time scouring social networks and other information sources to compromise them.

Lastly, we have insider threats that don’t fit nicely in the above categories, but are still due to using an employee’s or contractor’s access to cause harm. For example, a malicious attacker may plug into a live port in an organization’s network to wreak havoc.

With Great Power…

Although Twitter has stated that it was a coordinated social engineering attack, there are still a number of ongoing investigations to determine who are the attackers and how the breach was conducted. However, the bigger question to ask, and one that all organizations need to ask themselves, is why does this level of access and permissions to user accounts exist in the first place? Why do Twitter employees need the access and ability to post to user accounts, especially verified accounts such as Kayne West’s? If this level of access did not exist, then this type of attack may not have been possible.

In addition, the malicious hackers seemed to have been able to change the email address of any Twitter account through Twitter’s administrator tools, without any notifications sent to the users. You can understand why Twitter administrators would need the power and functionality to change email addresses for accounts, but should there have been user behavior security alerts when an X number of email addresses are changed within a Y amount of time? To go further, it may make sense to set a hard limit of a just a few account changes per administrator per day for more strict security controls.

Dangers of Remote Working – More than Your Cat Jumping on Your Keyboard

An even more poignant question is whether the expansion of remote working by organizations due to the COVID-19 pandemic can play a role in the relaxation of security controls. With many administrators, employees and contractors working from home and away from the office, organizations have had to pivot to accommodate remote access which may result in new vulnerabilities. Chief information security officers (CISOs) and their cybersecurity teams will need to re-evaluate the controls they may have relaxed to enable the virtual office.

Dodged the Proverbial Bullet

If a week ago, someone came to you with a movie script that read like the events that have unfolded with this Twitter attack, you would have immediately questioned whether it was realistic. Given the brazenness of high-profile account takeovers, the many obstacles to pull off such an attack and the realm of possibility of the damage and destruction that could’ve occurred, we can be thankful that the outcome was not much worse.

According to public records of the cryptocurrency transactions, the attackers were able to gain about $118,000 USD, which is – in most experts’ minds – a minor haul for such a major breach. You can imagine the impact that could’ve been made to markets, public safety and more. The payload was amateurish, but the compromise itself is a wake-up call for all organizations.

(Relatively) Low Cost Learning Experience

There’s much we can learn from this attack to help prevent similar breaches from insider threats in any organization.

  • Conduct Adversary Simulation and Control Tuning as soon as possible. Even if you have done them recently, circumstances in the new world normal have changed, so it’s time to evaluate the impact of these changes. The day after this Twitter attack, a CISO at a large, multinational enterprise jokingly said he was excited that Bill Gates helped fund his budget need for this simulation and tuning. (As mentioned earlier, Bill Gate’s Twitter account was one of the many compromised.)
  • Model the expected behaviors of employees and contractors, and set user behavior alerts for abnormal activity.
  • Review your employees’ and contractors’ level of access and thoroughly question what levels of permissions are really needed for their work.
  • Re-evaluate any relaxation of security controls to enable remote working due to the COVID-19 pandemic.
  • Have your employees and contractors enable two-factor authentication and regularly change their passwords using long and complex formats.
  • Ensure users know how to properly report suspicious activity to your security team.
  • Conduct continual cybersecurity awareness training and testing to track behaviors to training.
  • Use only work-approved and encrypted platforms to communicate confidential information. Do not use social media chats for sensitive conversations.
Learn more about X-Force Red adversary simulation, control tuning and social engineering services

More from Advanced Threats

Black Hat 2022 Sneak Peek: How to Build a Threat Hunting Program

4 min read - You may recall my previous blog post about how our X-Force veteran threat hunter Neil Wyler (a.k.a “Grifter”) discovered nation-state attackers exfiltrating unencrypted, personally identifiable information (PII) from a company’s network, unbeknownst to the security team. The post highlighted why threat hunting should be a baseline activity in any environment. Before you can embark on a threat hunting exercise, however, it’s important to understand how to build, implement and mature a repeatable, internal threat hunting program. What are the components…

Top-Ranking Banking Trojan Ramnit Out to Steal Payment Card Data

4 min read - Shopping online is an increasingly popular endeavor, and it has accelerated since the COVID-19 pandemic. Online sales during the 2021 holiday season rose nearly 9% to a record $204.5 billion. Mastercard says that shopping jumped 8.5% this year compared to 2020 and 61.4% compared to pre-pandemic levels. Cyber criminals are not missing this trend. The Ramnit Trojan, in particular, is out for a shopping spree that’s designed to take over people’s online accounts and steal their payment card data. IBM…

Detections That Can Help You Identify Ransomware

12 min read - One of the benefits of being part of a global research-driven incident response firm like X-Force Incidence Response (IR) is that the team has the ability to take a step back and analyze incidents, identifying trends and commonalities that span geographies, industries and affiliations. Leveraging that access and knowledge against the ransomware threat has revealed tools, techniques and procedures that can often be detected through the default Windows event logs (WELs). In particular, the X-Force IR team has identified several…

Trickbot rising — Gang doubles down on infection efforts to amass network footholds

11 min read - IBM X-Force has been tracking the activity of ITG23, a prominent cybercrime gang also known as the TrickBot Gang and Wizard Spider. Researchers are seeing an aggressive expansion of the gang’s malware distribution channels, infecting enterprise users with Trickbot and BazarLoader. This move is leading to more ransomware attacks — particularly ones using the Conti ransomware. As of mid-2021, X-Force observed ITG23 partner with two additional malware distribution affiliates — Hive0106 (aka TA551) and Hive0107. These and other cybercrime vendors…