Unfolding the Twitter security incident

Unfolding the Twitter security incident

In case 2020 wasn’t dystopian enough, here’s some more unbelievable news. On July 15, 2020, social media giant Twitter admitted it fell victim to a security breach.

The attackers targetted 130 Twitter accounts, including several belonging to high-profile individuals such as elected officials; former president Barack Obama; and business leaders including Bill Gates, Jeff Bezos, and Elon Musk.

Attackers tweeted cryptocurrency scams from these high profile accounts with messages similar to the one shown in the screenshot below as an attempt to generate income.

Allegedly, some users gave in to the scam and sent bitcoins to the address mentioned in the tweets. But that’s not all that happened. According to the most recent tweet released by the company, the hackers did a lot more than just send out tweets.

The Your Twitter Data tool, allows the account holder to obtain a summary of their personal account details. Using this feature, attackers were able to access sensitive data including usernames, email addresses, phone numbers, login history—including login IP and location information—the browsers and mobile devices associated with the accounts, and the entire tweet history. Criminal activities on the other 41 accounts have yet to be disclosed.

What caused the attack?

The investigation of the incident is unfolding, and Twitter should reveal finer details about the breach as they uncover them, particularly around remediation, which you can look for on the official @Twitter support account or on their blog.

Let’s first address the elephant in the room, particularly the question of how did the breach happen? Could the breach have been stopped in its tracks? Was it platform-specific, or could it happen to anyone?

How the breach happened: The classic intrusion

The reason we call this intrusion “classic” is because it was socially-engineered. A small number of Twitter employees were likely tricked into giving out sensitive credentials, which were then used to bypass two-factor protections and access a key internal system.

The credentials acquired by the malicious actors are thought to to have been leveraged in order to obtain access to an internal server or an administrative panel. Either way, the access was enough to allow the hacker(s) to take complete control of the Twitter accounts. For this blog, we’ll consider the administrative panel the propagator in the breach.

Could the breach have been stopped or detected earlier?

The human element always plays a major role in cybersecurity, and this breach is evidence of that. Unfortunately, there aren’t many ways to curb a social engineering attack apart from training and educating all employees in a company on the basics of phishing and scam campaigns. Human behavior is unpredictable, which is a compelling reason behind traditional security and incident detection systems failing to detect such intrusions.

Here’s how we think the breach could have been detected well ahead of time:

If you take a look at the above illustration, you’ll notice two dotted, numbered lines. These signify the potential weak points in the security structure that may have been leveraged to initiate the breach or allowed it to spread.

1. Employee access control to the admin panel

An article published by DARK Reading speculates that many individuals within the company had access to the verified accounts, which in turn means the employees had broad access to the admin panel. This is a an on-going issue in many organizations, irrespective of the industry or size.

These are situations when:

  • The principle of least privilege is completely ignored, and users are granted more access than necessary for one of the three reasons below:
    • To avoid the painstaking effort of manually granting and revoking granular access to the employees over their life span in the organization.
    • Access is granted temporarily but is forgotten to be revoked later.
    • Access is granted to an employee without oversight or approval.

2. Tracking logs in the admin panel

Let’s assume DARK Reading’s speculations are incorrect, and Twitter had a proper identity and access management (IAM) system in place wherein only authorized employees could access the admin panel.

The breach could still have been detected and possibly avoided by tracking accesses to the admin panel or changes made to resources (in this case, the accounts) from the admin panel.

For instance, after obtaining access to the admin panel, the attackers were able to reset the passwords of 45 accounts, log in to the accounts, and send out tweets. The password resets were not noticed and the breach was not detected until the tweets were live.

It is probable that Twitter did not have an efficient incident detection and fraud analytics system in place to catch submissions from odd locations, times, and IP addresses, or consider any other factors.

Could it happen to you?

Granted, it’s not possible to zero down on the exact IT configuration that resulted in Twitter’s breach to tailor a solution, so the focus here shifts to the technique used in the breach. Though this may appear to be a modern-day breach, at its core, it’s simply a credential theft and privilege escalation—an attack tactic that has been used for decades now and could be re-engineered to affect any organization, irrespective of the IT configuration.

ManageEngine Log360 is a security and incident detection solution designed with the requirements of the current cybersecurity landscape in mind. With Log360, you can:

  • Monitor privileged permissions and roles granted to accounts
  • Know instantly about administrative user actions (such as resetting passwords and adding members to security groups)
  • Generate reports on emails received with sensitive subjects (like password resets) in user mailboxes
  • Audit critical and sensitive activities, including:
    • Logons to domain controllers and critical member servers
    • Data accesses and modifications on storage devices
    • Scripts run on sensitive servers and removable devices plugged in
    • Critical domain configuration changes and more

Also, since the human element of a cyberattack is significant, you can leverage Log360’s user behavior analytics (UBA) feature to establish a baseline of normal user behavior. Any deviations in the behavioral pattern (like a user suddenly logging on to a server hosting critical business data outside of work hours) are instantly detected and alerted on!

With support extending to on-premises deployments like Active Directory (AD) and public cloud services like Azure AD, Google Cloud, or AWS, you can ensure critical changes are always detected and alerted upon, even when you’re away!

Additionally, with the ability to instantly mitigate damage by shutting down devices, terminating user sessions, or carrying out other actions based on the configured scripts, you can be rest assured that malicious/critical changes are immediately acted on.

Download a trial version of Log360 now, and ensure you’re not at the receiving end of the next security breach!

** Optrics Inc. is an Authorized ManageEngine partner


The original article can be found here:

https://blogs.manageengine.com/it-security/2020/07/30/unfolding-the-twitter-security-incident.html

About the Author: Shannon Lewis

Leave a Reply

%d bloggers like this: