1.888.900.DRIZ (3749)
The Driz Group
  • Managed Services
    • Web Application Security >
      • Schedule WAF Demo
    • Virtual CISO
    • Compliance >
      • SOC1 & SOC2
      • GDPR
    • Third-Party Risk Management
    • Vulnerability Assessment >
      • Free Vulnerability Assessment
  • About us
    • Testimonials
    • Meet The Team
    • Resources
    • In the news
    • Careers
    • Subsidiaries
  • Contact
    • Newsletter
  • How WAF Works
  • Blog
  • Managed Services
    • Web Application Security >
      • Schedule WAF Demo
    • Virtual CISO
    • Compliance >
      • SOC1 & SOC2
      • GDPR
    • Third-Party Risk Management
    • Vulnerability Assessment >
      • Free Vulnerability Assessment
  • About us
    • Testimonials
    • Meet The Team
    • Resources
    • In the news
    • Careers
    • Subsidiaries
  • Contact
    • Newsletter
  • How WAF Works
  • Blog

Cybersecurity Blog

Thought leadership. Threat analysis. Cybersecurity news and alerts.

7/19/2020

0 Comments

Twitter Attributes Latest Hack to Its Systems to Social Engineering

 
twitter hack

Twitter Attributes Latest Hack to Its Systems to Social Engineering

Last July 15th, verified Twitter accounts, including that of Amazon CEO Jeff Bezos and Former U.S. President Barack Obama, tweeted similar content, saying that they've decided to give back to their community by giving back twice the Bitcoin amount (limited to US $50 million) for every Bitcoin that will be sent to a particular Bitcoin address.

The tweets were later removed – a confirmation that the tweets were part of a scam and that the involved verified Twitter accounts were, in fact, hacked. A total of 393 transactions sent varying amounts of Bitcoin to the indicated Bitcoin address. Whoever orchestrated the campaign earned 12.8 Bitcoins, valued at US $117,473 as of July 18, 2020.

How Twitter Was Hacked?

In a blog post dated July 18, 2020, Twitter attributed the hacking of the 130 verified Twitter accounts to social engineering. "At this time, we believe attackers targeted certain Twitter employees through a social engineering scheme," Twitter said.

The company, however, didn't elaborate how the social engineering was carried out by attackers. Twitter defined social engineering as the "intentional manipulation of people into performing certain actions and divulging confidential information."

According to Twitter, the intentional manipulation of a small number of Twitter employees enabled the attackers to access the company's internal systems using the credentials of the targeted Twitter employees, and "getting through" the company's two-factor authentication (2FA) protection.

Twitter said the attackers were able to view personal information including phone numbers and email addresses – information that were accessible to some of the targeted employees. Out of the 130 hacked verified accounts, Twitter added, 45 of those accounts, the attackers were able to login to the account, send tweets and initiate a password reset.

In accounts taken over by the attackers, the company said that the attackers may have been able to view additional information. The company also added that the attackers attempted to sell some of the hacked accounts.

SIM Swap

The July 15th cyber incident at Twitter isn't the first hacking incident that the company experienced. Nearly a year ago, the Twitter account of its CEO Jack Dorsey was hacked.

After taking over Dorsey's Twitter account @jack, attackers fired off nearly two dozen tweets and retweets. "The phone number associated with the account was compromised due to a security oversight by the mobile provider," Twitter said in a statement. "This allowed an unauthorized person to compose and send tweets via text message from the phone number."

The above-mentioned statement from Twitter on how its CEO's account was hacked describes a typical SIM swap attack – a type of cyberattack in which a mobile phone company employee switches a victim’s phone number to a new phone number that's under the attacker’s control.

This type of attack is carried out in two ways. One method is by calling a customer help line of the mobile phone company and pretend to be the intended victim. The other method is by paying off phone company employees to do the phone number switches. There have been reports that attackers paid off phone company employees to do the phone number switching for as low as US $100.

SIM swap plays a big role in an attack that tries to bypass text message-based 2-factor authentication, an authentication method that requires additional authentication, that is, on top of the usual username and password requirement, a user can only login to an account by providing a one-time code – a code that's sent to the phone number provided by a user. In a SIM swap attack, by changing the target's phone number to the phone number controlled by the attacker, the one-time code is sent to the new phone number controlled by the attacker.

In September 2019, the U.S. Federal Bureau of Investigation (FBI) warned its partner organizations about SIM swapping. According to the FBI, between 2018 and 2019, the most common tactic used by attackers in circumventing the 2-factor authentication was through SIM swapping.

VPN Vulnerability

In 2019, a report came out that Twitter left its internal systems exposed to outsiders by failing to apply the latest security update of a particular software. This time, however, bug bounty hunters found the vulnerability and responsively disclosed the vulnerability to Twitter.

In a blog post dated September 2, 2019, security researchers at DEVCORE reported that they were able to perform on Twitter's internal systems remote code execution – the ability to access someone else's computing device and make changes to it regardless of where this computing device is geographically located. The researchers said they initially gained access to Twitter's internal system by exploiting an unpatched Pulse Secure VPN used by the company.

The security researchers at DEVCORE are the same researchers that discovered the remote code execution vulnerability in Pulse Secure VPN products and reported this vulnerability to the software vendor Pulse Secure. The same researchers also discovered and reported the security vulnerabilities in the VPN products of OpenVPN and Fortinet.

"During our research, we found a new attack vector to take over all the clients [computers or software that accesses a service made available by a server]," security researchers at DEVCORE said. "It’s the 'logon script' feature. It appears in almost EVERY SSL VPNs, such as OpenVPN, Fortinet, Pulse Secure… and more. It can execute corresponding scripts to mount the network filesystem or change the routing table once the VPN connection established. Due to this 'hacker-friendly' feature, once we got the admin privilege, we can leverage this feature to infect all the VPN clients!"

The researchers also reported that they bypassed the 2-factor authentication as Twitter enabled the Pulse Secure VPN's roaming session feature, which allows a session from multiple IP locations. "Due to this 'convenient' [roaming session] feature, we can just download the session database and forge our cookies to log into their system!"

Prior to going public, the security researchers at DEVCORE reported to Twitter their findings via the company's bug bounty program.

Social engineering is a significant risk for most organizations and individuals alike. This is why we’ve created a blog post with 52 cybersecurity tips for businesses and individuals to help mitigate key risks.

0 Comments

    Author

    Steve E. Driz, I.S.P., ITCP

    Picture
    View my profile on LinkedIn

    Archives

    January 2023
    December 2022
    June 2022
    May 2022
    February 2022
    December 2021
    November 2021
    October 2021
    September 2021
    August 2021
    July 2021
    June 2021
    May 2021
    April 2021
    March 2021
    February 2021
    January 2021
    December 2020
    November 2020
    October 2020
    September 2020
    August 2020
    July 2020
    June 2020
    May 2020
    April 2020
    March 2020
    February 2020
    January 2020
    December 2019
    November 2019
    October 2019
    September 2019
    August 2019
    July 2019
    June 2019
    May 2019
    April 2019
    March 2019
    February 2019
    January 2019
    December 2018
    November 2018
    October 2018
    September 2018
    August 2018
    July 2018
    June 2018
    May 2018
    April 2018
    March 2018
    February 2018
    January 2018
    December 2017
    November 2017
    October 2017
    September 2017
    August 2017
    July 2017
    June 2017
    May 2017
    April 2017
    March 2017
    February 2017
    January 2017
    December 2016
    October 2016
    August 2016
    May 2016
    March 2016
    January 2016
    November 2015
    October 2015
    August 2015
    June 2015

    Categories

    All
    0-Day
    2FA
    Access Control
    Advanced Persistent Threat
    AI
    ATP
    Awareness Training
    Botnet
    Bots
    Brute Force Attack
    CASL
    Cloud Security
    Compliance
    COVID 19
    COVID-19
    Cryptocurrency
    Cyber Attack
    Cyberattack Surface
    Cyber Awareness
    Cyber Espionage
    Cybersecurity
    Cyber Security
    Cyber Security Consulting
    Cyber Security Insurance
    Cyber Security Risk
    Cyber Security Threats
    Data Breach
    Data Governance
    Data Leak
    Data Leak Prevention
    DDoS
    Email Security
    Fraud
    GDPR
    Hacking
    IoT
    Malware
    MFA
    Microsoft Office
    Mobile Security
    Network Security Threats
    Phishing Attack
    Privacy
    Ransomware
    Remote Access
    SaaS Security
    Social Engineering
    Supply Chain Attack
    Supply-Chain Attack
    Third-Party Risk
    Virtual CISO
    Vulnerability
    Vulnerability Assessment
    Web Applcation Security
    Web-applcation-security
    Web Application Firewall
    Web Application Protection
    Web Application Security
    Web Protection
    Windows Security
    Zero Trust

    RSS Feed

Picture

1.888.900.DRIZ (3749)

Managed Services

Picture
Web Application Security
​Virtual CISO
Compliance
​Vulnerability Assessment
Free Vulnerability Assessment
Privacy Policy | CASL

About us

Picture
Testimonials
​Meet the Team
​Subsidiaries
​Contact us
​Blog
​
Jobs

Resources & Tools

Picture
​Incident Management Playbook
Sophos authorized partner logo
Picture
© 2023 Driz Group Inc. All rights reserved.
Photo used under Creative Commons from GotCredit