It has been reported that Twitter accounts of billionaires Elon Musk, Jeff Bezos and Bill Gates and many other prominent figures are hacked in an apparent Bitcoin scam. The tweets generated from these high profile accounts are asking for donations in cryptocurrency. It was a “co-ordinated” attack targeting Twitter employees with access to internal systems and tools. Industry leaders provide an insight into this breach below.
The attack that happened earlier this week is possibly one of the worst security incidents at Twitter, if not the worst.
We have seen compromises of high profile accounts in the past, which were used to post cryptocurrency-related scams, but they pale in comparison to this one. For instance, @Jack was hacked in 2019 through SIM-swap attacks, and President Trump\’s account was deleted by a Twitter employee. Yet, the scope of the current attack is much larger, affecting many top accounts, with hundreds of millions of followers combined.
It appears that the incident was a one-shot event, in which a certain type of access was leveraged to facilitate a quick, illicit scheme for financial profit. For now, we do not know who was behind it, however, the cryptocurrency-related scam would suggest a criminal group, driven by financial profit. A nation-state would instead use their access to collect private information, such as DMs from persons of interest, rather than high ranking company accounts.
At this point, a thorough, detailed investigation, made public in the form of a report, would be essential for regaining user trust. An explanation of the breach step by step, what tricks the attackers used and the vulnerabilities (if any) they exploited, are needed. Some of the information posted by Twitter Support indicates that their employees have been targeted in a social engineering scheme; it\’s hard to fathom that Twitter employees wouldn\’t have their own access protected by 2FA, so this raises questions about how it would be possible for a social engineering attack to succeed. Last but not least, what steps have been taken in order to secure the platform against future abuses would be essential to regain user confidence.
I believe that Twitter will work hard to close any security gaps that might have been used, making similar attacks really hard, if not impossible, to execute in the future.
Early reports indicated the Twitter Bitcoin hack was enabled by \”a coordinated social engineering attack\” that targeted Twitter employees. This underscores how easy it is to fall for a social engineering attack, even if you\’re an employee of a social network and who should be more security conscious than your average office worker.
The ability for a hacker to gain the ability to post on multiple Twitter accounts is quite scary, and Twitter should consider itself lucky that the hacker’s aim was financial and not simply a malicious attack looking to cause havoc on the Twittersphere.
This will most likely lead to a bug overhaul of Twitter\’s internal security systems, or at the least increased education for employees on social engineering attacks.
This week’s attack on Twitter was extremely sophisticated, and likely wasn’t an isolated incident. Coordinated attacks like these take time and resources to execute, so it’s likely the attackers had already gained a foothold on Twitter’s networks, and spent weeks – or even months – stealthily gathering intelligence before they made their public moves.
This speaks to a larger trend we’re seeing in cybercrime, where hackers exploit workers via phishing attacks to gain access to a company network – moving laterally under the radar to collect information. They wait and learn. By the time they launch their attack, they may know as much or more about the environment than the defender. This issue is further exacerbated by remote work, as security teams and the access points they’re trying to protect are scattered, making it more difficult to stave off threats.
Perimeters get breached. Security teams need to accept that and take the fight to the attacker in the network. They should shift their strategy toward making the network deceptive in order to make the attacker\’s path from breach to crown jewels risky and time consuming.
Twitter\’s new work from home policy has clearly exposed information required by hackers to infiltrate key systems. A zero Trust CASB solution with multifactor authentication and SSO is essential to prevent these types of attacks when employees are accessing a labyrinth of both sanctioned and unsanctioned SAAS applications. Visibility alone into user activity is essential if forensics is to pinpoint root cause.
Insider driven attacks are the hardest nut to crack – whether they are malicious or unintentional because of the abuse of valid access. With Twitter acknowledging that inside role, the next question becomes – how was the act as invasive and possible at such scale? That seems to be a question whose answer lies in the insider tool used. What does that tool enable in terms of access and control, who has access to it, and what are the mechanisms for oversight? Whether one or 10 people, the ability to post (and even pin based on reports and social media traffic) on behalf of a user without triggering action is unsettling at best. What about access to DMs? And what else were the attackers able to do once inside beyond those tweets. Regardless of how far or deep, Twitter’s first job is explaining exactly what transpired and why, and what will be done to repair what is now a damaged trust.