Twitter accounts belonging to Joe Biden, Bill Gates, Elon Musk and Apple, and other high-profile accounts, were compromised in what Twitter said it believes to be an attack on some of its employees with access to the company's internal tools, says a CNN news report.
"We detected what we believe to be a coordinated social engineering attack by people who successfully targeted some of our employees with access to internal systems and tools," Twitter's support team said late Wednesday.
According to CNN, the attackers posted tweets that appeared to promote a cryptocurrency scam. The accounts, along with those of former President Barack Obama, Kanye West, Kim Kardashian West, Warren Buffett, Jeff Bezos and Mike Bloomberg, posted similar tweets soliciting donations via Bitcoin to their verified profiles on Wednesday.
Brandon Hoffman, CISO, Head of Security Strategy at Netenrich, a San Jose, Calif.-based provider of IT, cloud, and cybersecurity operations and services, says, “There is a lot of interesting speculation floating around about today’s Twitter hack. Due to a lack of any reliable or apparent source, that is really all anybody can provide at this time. As a security expert, there are many possible situation that could have led here. At this time none are probable though. The idea floating around that there is a user administrative panel that was accessed through an employee’s credentials is on fire. It is on fire for two reasons. The first is that credentials are likely going to be the way this was perpetrated. The second being that the existence of a user admin panel, which shouldn’t exist, in such an iconic tech company like Twitter is so scandalous that security people will eat it up. Other popular theories will surface about a Twitter insider, or some zero day, possibly an unknown credential stealing piece of malware. In the end I think we will find out that somehow credentials were stolen, either from an employee or from the account holders themselves through a variety of methods. The credentials were probably offered for sale on the dark web in piecemeal form and a cybercriminal with vision bought them for this campaign. However, that’s just another theory.”
Shawn Smith, DevOps Engineer at nVisium, a Falls Church, Virginia-based application security provider, notes, “There's several ways these high profile Twitter accounts could have been compromised. For example, a fairly common support feature is to allow administrative and other privileged personnel to impersonate other users to test functionality as that user. So if Twitter has made this sort of a setup available, it is quite possible an account with access to this feature was compromised therefore leading to additional account compromise. As such, if a staff (or worse, a privileged) account was compromised, it could also just be using it to reset passwords and login for the targeted accounts. SMS interception on password resets, and password reset logic flaws are also vectors for general social media account compromise. Additional other ways for Twitter account compromise are generally due to phishing attacks or linked accounts being taken over, but the number of accounts being compromised so quickly makes these attack vectors somewhat unlikely unless carefully coordinated and orchestrated by a syndicated effort. However, without a detailed analysis, we are all just speculating."
Battista Cagnoni, Senior Consultant, Advisory Services at Vectra, a San Jose, Calif.-based provider of technology which applies AI to detect and hunt for cyber attackers, adds, “Rogue insider or duped employee aside the illegitimate use of administration tools by legitimate users is challenging to detect, which is why privileged access remains a critical attack vector in so many breaches. This high-profile attack on one of the world’s largest social media platforms looks to have limited success in terms of financial gain, but for obvious reasons, has significant impact in terms of visibility and the potential to damage
to brand reputation. Over the next few hours and days, incident responders will be working hard to scope out the totality of the compromise and looking for any evidence of remote orchestration in case the attackers have been able to penetrate and gain persistence inside Twitter’s systems.”
“There are two key red flags I recommend consumers look out for to avoid falling victim to phishing schemes on any platform, including Twitter, email, or text,” said Paige Schaffer, CEO of Global Identity and Cyber Protection Services for Generali Global Assistance. "First: when you see an exciting time-sensitive offer, like in yesterday’s hacked posts, take a moment to read the text carefully as you’ll probably notice some grammar and spelling issues, which is a common red flag to look out for when you suspect a possible phishing scam. Elon Musk’s hacked tweet yesterday is one example of this. Second: generally any type of offer that involves providing some initial funding in order to secure a large return at a later time is almost always a scam, especially when combined with an “urgent” call to action.”