Skip to content

Posts tagged ‘twitter hack’

Dissecting The Twitter Hack With A Cybersecurity Evangelist

Dissecting The Twitter Hack With A Cybersecurity Evangelist

Bottom Line: Shattering the false sense of security in tech, the recent Twitter hack blended altruism, fame, greed, social engineering via SIM swapping and insider threats to steal $120,000 from victims when the economic and political damage could have been far worse.

Targeting the most influential celebrities on Twitter, hackers orchestrated a social engineering-based attack Wednesday promoting a cryptocurrency scam. Business leaders, celebrities, politicians and billionaires’ accounts were hacked using Twitter’s administrative tools. Personal Twitter accounts hacked include those of Amazon CEO Jeff Bezos, Joe Biden, Tesla CEO Elon Musk, President Barack Obama, Bill Gates, Warren Buffet and others. Apple and Uber’s Twitter accounts were also hacked.

Using SIM swapping, in which threat actors trick, coerce or bribe employees of their victims to gain access to privileged account credentials and administrative tools, hackers were able first to change the email address of each targeted account. Next, two-factor authentication was turned off so when an alert was sent of the account change it went to the hacker’s email address. With the targeted accounts under their control, hackers began promoting their cryptocurrency scam. While not all details of the attack have surfaced Motherboard’s story of how hackers convinced a Twitter employee to help them the hijack accounts makes for fascinating reading.

Dissecting The Hack

Interested in dissecting the hack from a cybersecurity standpoint, I contacted Dr. Torsten George, Cybersecurity Evangelist and industry expert from Centrify. Torsten is also a leading authority on privileged access management and how to thwart breaches involving privileged access credentials.

Louis:  What was your initial impression upon breaking news of the hack and what did you believe would cause such a massive hack of celebrity and leading political figures accounts this past week?

Torsten: When the news broke, the media probably polled other security experts and the first initial reaction was, ‘Oh, that’s a massive attack, most likely a credential-based attack,’ because 80% of today’s data breaches go back to privilege access abuse. They are typically first triggered by phishing attacks, the precursor to many attacks where the attackers tried to capture these credentials and then leverage them to attack their victim’s organizations.

So, the breaking news indicated that most likely, somebody was able to leverage a compromised credential to enter into the Twitter environment and take over accounts. However, more and more information became available, with screenshots being shared of internal Twitter tools. For me, that raised a red flag, because in a typical attack pattern we’re seeing three distinct phases in the cyber-attack lifecycle: the compromise, the exploration phase and the exfiltration of sensitive data, which includes covering up tracks and potentially creating a backdoor for future attacks.

When performing reconnaissance, hackers commonly try to identify regular IT schedules, security measures, network traffic flows and scan the entire IT environment to gain an accurate picture of the network resources, privileged accounts and services. Domain controllers, Active Directory and servers are prime reconnaissance targets to hunt for additional privileged credentials and privileged access.

They wouldn’t necessarily look for administrative tools that could be leveraged for their attack unless they have intimate knowledge that those tools exist in the victim’s environment — be it by having worked for the company in the past or representing an insider threat.

Louis: What’s the anatomy of an insider attack, based on your experience?

Torsten: As was later confirmed by Twitter, it became very apparent that this is a case of insider threats, where you have an insider that has been leveraged for this attack. The most common insider threats can be defined by the intent and motivation of the individuals involved. The 2019 Verizon Insider Threat Report defines five distinct insider threats based on data breach scenarios and they all have excellent, accurate names: the Careless Worker, the Inside (often recruited) Agent, the Disgruntled Employee, the Malicious Insider and the Feckless Third-Party.

Considering the global environment we’re facing right now, with Covid-19 and other related economic hardships, the risk of insider threats is exacerbated, as pending furloughs or pay cuts may tempt employees to exfiltrate data to secure a new job or make up for income losses.

So a privileged administrator might be more open to people that approach them and say, ‘Would you be willing to share with us your access credentials, or would you do something on our behalf to exfiltrate data or to manipulate data?’ That risk has increased dramatically across all industries.

So it turned out the first suspicion was phishing attacks, followed by compromised credentials. It turns out to be an insider threat. Organizations need to be prepared for that.

Louis: What can companies do to reduce the likelihood a malicious insider will hack them?

Torsten: It becomes a little bit trickier when you deal with a malicious insider because they most likely know your environment, they might know your defense mechanisms and they might know the security tools that your likely using. So they can bypass these security controls and try to gain the control of data that they can then profit from.

Organizations have to rethink the way that they’ve structured their defense controls and truly take an approach of an in-depth strategy with a different layer of defenses. The first layer that comes to mind in this particular case is multi-factor authentication (MFA) which is still low-hanging fruit. There are still many organizations out there that are not taking advantage of implementing MFA.

While MFA is highly recommended, it isn’t as effective against insider threats because they have that second factor of authentication and can pass those challenges. Organizations need to go beyond MFA if they want to have a layered security strategy.

Louis: What are some of the ways they can go beyond MFA to avoid being the victim of an insider threat?

Torsten: A very important component of your defense strategy should be the approach of zero standing privileges, which is something Gartner recommends to its clients. That means that I have normal privileges and entitlements to do my job, like answering emails and using the Internet, but that’s probably all I need. If I need more access, I’ll have to elevate my privilege for the time needed to do that particular task but then rescind that privilege once it’s done.

If I have zero standing privileges – even if somebody compromises my credential, even if I’m an insider – I don’t have immediate access to the keys to the kingdoms to do whatever I want.

And before privilege elevation, organizations should require context through a formal request. For example, require the user to submit a ticket through ServiceNow or any other IT Service Management platform to detail what they need to access, for how long and to do what. That way, there is an auditing trail and an approval process. If the threat actor – whether insider or not – doesn’t do this they don’t get privileged access to that target system.

Louis: Besides those perhaps expected controls, what other controls might have helped in this particular scenario?

Torsten: Organizations should also take advantage of modern tools to leverage machine learning technology, so that looks at user behavior and risk factors to also get a hold of these insider attacks. All the other security controls are more tailored towards external preparation at first. Still, once you implement machine learning technology and user behavior analytics that’s where you also can capture insider threats.

Machine learning can look for suspicious activity, such as a target being accessed outside of a typical maintenance window, or is the administrator logging in from a different location or device than usual. It can then trigger an MFA request and also issue a real-time alert, regardless of whether the MFA challenge is successfully resolved.

Furthermore, in the case of Twitter, there are privacy and regulatory concerns that could also be additional triggers for real-time alerts and to shut down this activity automatically. Regulations like the CCPA (California Consumer Privacy Act) and GDPR (General Data Protection Regulation) mean that platforms like Twitter have to be very careful with any access to or manipulation of a customer’s feed. That could – and should have – instantly triggered a real-time alert when an administrator was posting on behalf of a user.

Louis: Do you think this is going to be the start of an entirely new era of hacks where hackers will pay off internal employees for promotional messages?

Torsten: Quite frankly, we have seen an uptick since the start of the Covid-19 pandemic. And I believe now that this Twitter attack has been covered in the press so much, you will have copycats that will try to do the same. Some of them will also target social media platforms, but others that might be a little bit smarter because social media is easily detectable if something goes wrong. An industry like healthcare could be a prime target and there is already news that Russian hackers are attacking healthcare providers and research labs to try to gain access to vaccine research.

Louis: Given how significant this hack is in terms of the progression or the growing sophistication of threats, what are the top three predictions you have for the rest of 2020?

Torsten: Ransomware is an example of a technique that has changed quite significantly in two ways. First, they are no longer only delivered via an email, but also via social media platforms, SMS messages and more. Second, ransomware is no longer only focused on shutting down business operations. The most recent example with EDP Renewables North American, a subsidiary of an European-based electric utilities company, showed that hackers leveraged ransomware to exfiltrate data. Not to lock it down, but to exfiltrate data and then ask for ransom from their victim to not publish the data on the Dark Web.

Second, as I’ve already covered, the current economic hardships of the pandemic will cause more people to jump on the bandwagon and become cybercriminals. And these aren’t the people you see in movies – dark characters in hoodies using sophisticated hacking techniques to breach the government. These are your neighbors, the little boys next door. For them it’s not a big deal to become a cyber-criminal.

Third, as you’d expect, the number of cyber-attacks will increase as a result and they will continue to find new and innovative ways to find the easiest way in. The Twitter incident taught us that there was no technology “breach” required. It was just finding the right person with the right privileges and paying them to do 25 Tweets. That’s an easy payday.

I think this whole crisis that we’re going through will see a major uptick in attacks from the traditional cyber hackers, but also from a whole bunch of newbies and greenhorns that will try out their luck and see if they can make a buck. Either by ransomware attacks, phishing attacks, social engineering or any combination thereof.

Three Reasons Why Killing Passwords Improves Your Cloud Security

Jack Dorsey’s Twitter account getting hacked by having his telephone number transferred to another account without his knowledge is a wake-up call to everyone of how vulnerable mobile devices are. The hackers relied on SIM swapping and convincing Dorsey’s telecom provider to bypass requiring a passcode to modify his account. With the telephone number transferred, the hackers accessed the Twitter founder’s account. If the telecom provider had adopted zero trust at the customer’s mobile device level, the hack would have never happened.

Cloud Security’s Weakest Link Is Mobile Device Passwords

The Twitter CEO’s account getting hacked is the latest in a series of incidents that reflect how easy it is for hackers to gain access to cloud-based enterprise networks using mobile devices. Verizon’s Mobile Security Index 2019 revealed that the majority of enterprises, 67%, are the least confident in the security of their mobile assets than any other device. Mobile devices are one of the most porous threat surfaces a business has. They’re also the fastest-growing threat surface, as every employee now relies on their smartphones as their ID. IDG’s recent survey completed in collaboration with MobileIron, titled Say Goodbye to Passwords found that 89% of security leaders believe that mobile devices will soon serve as your digital ID to access enterprise services and data.

Because they’re porous, proliferating and turning into primary forms of digital IDs, mobile devices and their passwords are a favorite onramp for hackers wanting access to companies’ systems and data in the cloud. It’s time to kill passwords and shut down the many breach attempts aimed at cloud platforms and the valuable data they contain.

Three Reasons Why Killing Passwords Improves Your Cloud Security

Killing passwords improve cloud security by:

  1. Eliminating privileged access credential abuse. Privileged access credentials are best sellers on the Dark Web, where hackers bid for credentials to the world’s leading banking, credit card, and financial management systems. Forrester estimates that 80% of data breaches involve compromised privileged credentials, and a recent survey by Centrify found that 74% of all breaches involved privileged access abuse. Killing passwords shuts down the most common technique hackers use to access cloud systems.
  2. Eliminating the threat of unauthorized mobile devices accessing business cloud services and exfiltrating data. Acquiring privileged access credentials and launching breach attempts from mobile devices is the most common hacker strategy today. By killing passwords and replacing them with a zero-trust framework, breach attempts launched from any mobile device using pirated privileged access credentials can be thwarted. Leaders in the area of mobile-centric zero trust security include MobileIron, whose innovative approach to zero sign-on solves the problems of passwords at scale. When every mobile device is secured through a zero-trust platform built on a foundation of unified endpoint management (UEM) capabilities, zero sign-on from managed and unmanaged services become achievable for the first time.
  3. Giving organizations the freedom to take a least-privilege approach to grant access to their most valuable cloud applications and platforms. Identities are the new security perimeter, and mobile devices are their fastest-growing threat surface. Long-standing traditional approaches to network security, including “trust but verify” have proven ineffective in stopping breaches. They’ve also shown a lack of scale when it comes to protecting a perimeter-less enterprise. What’s needed is a zero-trust network that validates each mobile device, establishes user context, checks app authorization, verifies the network, and detects and remediates threats before granting secure access to any device or user. If Jack Dorsey’s telecom provider had this in place, his and thousands of other people’s telephone numbers would be safe today.

Conclusion

The sooner organizations move away from being so dependent on passwords, the better. The three reasons why killing passwords improve cloud security are just the beginning. Imagine how much more effective distributed DevOps teams will be when security isn’t a headache for them anymore, and they can get to the cloud-based resources they need to get apps built. And with more organizations adopting a mobile-first development strategy, it makes sense to have a mobile-centric zero-trust network engrained in key steps of the DevOps process. That’s the future of cloud security, starting with the DevOps teams creating the next generation of apps today.

%d bloggers like this: