How The Twitter Hack Went Down

On July 15th, word began to spread across the twitterverse (and beyond) that numerous high-profile accounts were tweeting requests to send cryptocurrency to specific destinations, with the promise that the funds would be doubled and returned to the sender.  Sound too good to be true?  It was.

What makes this hack different than many others, is that the promise of instant cryptocurrency profit came from a number of very high-profile verified Twitter accounts, including Bill Gates, Elon Musk, Apple, Jeff Bezos, Barack Obama, and Joe Biden.  Verified Twitter Accounts are highly visible and command a higher degree of trust, with users well aware of the associated “blue checkmark” iconography.  It’s exactly that iconography that magnified the impact of this particular attack — preying on the higher degree of trust that users have in tweets from Verified Twitter Accounts.

But how did an attacker commandeer these accounts in the first place?  We originally tweeted that we suspected that a violation of Principle of Least Privilege (POLP) played a role.  Our logic was:

  1. Many Accounts Were Compromised Simultaneously:  when a webapp has many high-profile customer accounts that are compromised simultaneously, it leads us to believe that one single hack — not separate cumulative attacks against each separate account — led to the incident.
  2. Administrative Privilege as a Probability:  one popular approach that hackers take when they seek to compromise many accounts simultaneously, is to seek out some vulnerability that leads them to administrative access.  They don’t always succeed, but when they do you can bet that the outcome is similar to what we saw in this attack — an attack very broad in scope.
  3. Excessive Privilege Grants:  in MANY companies, adminisitrative privileges end up in the hands of more employees than necessary; and as the gradiation of additional privilege levels become more complex in a growing company, it becomes difficult to keep up with enforcing the Principle of Least Privilege (POLP) wherein each employee should have absolutely no more privilege than necessary to accomplish their job responsibilities.

We still stand by this logic.  The latest news on the hack revealed that a social engineering attack was staged against specific employees that had access to administrative access to certain tools, accounts, and data.

 

How Companies Can Prevent This Attack

Defense-in-depth could have prevented this attack at many levels:

  1. Enforcing Principle of Least Privilege (POLP):  it’s hard to make the case that there are many — if any — employees within Twitter that should have the autonomous unchecked ability to tweet from a broad range of accounts.  Had Twitter implemented and enforced a more rigourous POLP approach, the scope of the attack would no doubt have been greatly limited.
  2. Social Engineering Awareness / Training:  in this era where software defects are so often the attack vector that cyber criminals use to do harm, we cannot forget that a more basic human factor is always available.  Social engineering is when attackers use deception techniques to manipulate individuals into divulging confidential or personal information — it’s the oldest trick in the book, and is a way “in” even if your systems are rock solid.
  3. Threat Modeling:  TechCrunch reports that the administrative-level tool exploited in this hack was one that allowed internal Twitter employees to change email addresses associated with Twitter accounts (amongst other configuration capabilities).  A rigorous threat modeling process could have easily exposed that allowing the email-changing capability would open up the company to compound attacks that started with an email change but advanced to further devious activity on the now-modified accounts.

Havoc Shield protects businesses from falling victim to attacks like this one.  We’re glad to help by getting you started with:

  • Our Guidance Assistant that helps you configure your internal privileges in a manner that manages access levels and exposure, without the need to read lengthy knowledgebase articles.  We’ll show you where to click, what settings to change, and how to know you did it correctly.
  • Our Rapid Threat Test evaluates your current cybersecurity posture and gives you an initial Threat Model code and associated advice, including the types of attacks that your particular company is most susceptible to.
  • Our robust InfoSec Policies and associated training modules are great for raising employee awareness about the team effort that it takes to keep your company secure.  Your cyber perimeter is only as strong as it’s weakest link.

Ready to get started?  Let’s work together to keep your company safe.

Interested in more articles in our series The Latest Hack?  Continue here:

Any additional suggestions of recent hacks that you’d like us to write our perspectives on?  Drop us a note in the comments section below!