On an ordinary Wednesday in a not so ordinary July 2020 with a world already in chaos one of the most trusted verification systems in social media was cracked wide open in the flashiest display of account hijacking this decade.
High-profile Twitter accounts such as Bill Gates, Elon Musk, and Barack Obama suddenly began tweeting out offers of two for one bitcoin exchange. Your average tech savvy person would immediately realize this was likely a hack or at best a really bad joke. Unfortunately, due to the reliance on the “blue checks” that indicate the accounts are verified to belong to the high-profile owners a number of average people (tech savvy or not) fell for it. The hackers got away with a little over a hundred thousand dollars. Not a small chunk of change.
Why would attackers make it so obvious they’d compromised these accounts with this flashy bitcoin scam? Was money and attention really the ultimate goal of what had to be a very complex attack?
Just Money or Something More?
I highly doubt the intention of this attack was to garner attention and scrape up a little bitcoin. Let’s face it, a ransomware attack is far more profitable and easier to execute. There’s a pretty decent chance that what this attack really represented was the proof of concept that Twitter’s verified account could not only be compromised but widely exploited. The bitcoin angle simply serves as a cover for real motive while appearing to onlookers that the attackers have already gotten what they wanted.
Consider though that this is an election year, and there is currently a global pandemic. People are worried. They are also more susceptible to misinformation than ever before. We’ve already seen the way social media can be used to influence popular opinion. If high-profile trusted accounts are demonstrated to be vulnerable then it suddenly calls into question the most reliable messaging in the social media sphere, the place where many people gather their news and information from. Public figures maintain large scale audiences who are generally receptive to their messages. Subverting these accounts allows an attacker to subtly parlay the influence of that account holder to impact opinions on state and national issues. There is also the chance that damage the credibility of Twitter’s verification system casting doubt on legitimate statements by high-profile individuals. After all, if it has happened once, couldn’t it happen again?
A Hole in Twitter’s Armor
This breach exposed key vulnerabilities of Twitter including challenges in trusting internal users and validating the identities of external parties. From what we have seen, this attack is believed to be initiated through an internal user but there is the possibility that an attacker secured stolen credentials with the necessary privileges. By securing the administrative system that allows access to these high-profile accounts more tightly and implementing better controls this attack would either have been stopped early or blocked altogether. One such control that might have been crucial is a second user signoff on tasks related to “verified” users, much the way many accounting systems operate throughout financial systems.
There remains the question of whether this breach originated from China, Russia, or some other foreign entity. The fact is that this is entirely possible and just because during this incident there were no overt attempts to influence our upcoming election or undermine our public health doesn’t mean that this was not a piece of a larger plan. Where the attacks originated is less important than the motivation of the attacker as it is trivial for the IP of origin to appear from any country the attacker wishes. Either way, we should remain cautious because I’m quite confident that the attack was not trivial in terms of execution and therefore the motivation was likely more complex than a few bitcoins. Current evidence indicates that this may have been a complex combination of social engineering and compromising some asset either via rootkit, theft, or bribery. Nevertheless, an attack that takes such effort is rarely one with a simple end goal. It’s more realistic that this was a test run and other compromised accounts/users/assets still exist.
Lessons Learned the Hard way
The biggest takeaway for the public from this hack is for users of Twitter to not trust that messaging from “verified” accounts is always legitimate. In that respect the attackers have achieved the goal of damaging Twitter’s credibility. Yet, this lesson is something security professionals and the tech community have always known and that is to assume that there is a risk of compromise. Keep in mind that even on “verified” accounts it’s possible these direct quotes aren’t 100% indicative of the actual user tweeting, especially if they happen to be a world leader, or prominent public figure.
For Twitter, the lesson is more complex. This hack is indicative of some major security failures and those failures came on multiple fronts. First off, there are too many individuals that have access to administrative tools. Second, they need to include controls to ensure that no single individual can alter trusted/verified accounts without a significant level of oversight. In addition, Twitter needs to improve the tracking of logs for this administrative interface with some user behavioral analytics. Look for trends such as a support person taking administrative actions on a greater percentage of verified accounts relative to their peers. This simple step alone would have flagged that a user was compromised early on in the attack.
As an organization, Twitter has to walk a fine line between guaranteeing their high-profile users have the support necessary to handle daily issues such as forgotten passwords and accidental locked outs while ensuring that support requests are legitimate in nature. These accounts, unlike normal users, carry added risk for Twitter because these voices wield the power of influence which has become a currency with which much can be bought. Twitter will come through on this in the long run, but there is going to be a lot of work to retrofit and re-design a system that obviously was not designed with a security-first mindset.