An unprecedented attack on Wednesday occurred between 15th and 16th of July that resulted in numerous takeovers of high-profile accounts including those of President Barack Obama, Democratic candidate Joe Biden, and Tesla CEO Elon Musk. The attack is one of the most widespread and confounding hacks the platform has ever seen. Every tweet invited people to send money to a bitcoin wallet to support fight against the COVID-19 and offered to double the money sent. As an example, Elon Musk tweet was:
“I‘m feeling generous because of Covid-19. I’ll double any BTC payment sent to my BTC address for the next hour. Good luck, and stay safe out there!”
The tweet contained a bitcoin address associated with the hacker’s crypto wallet. The final goal was promoting a bitcoin scam that appears to be earning its creators quite a bit of money. In a series of tweets posted this evening under its support channel, Twitter acknowledged that numerous people appear to have been involved in the hacks, not just one individual, and also that numerous employees accounts and its internal systems were compromised by the hackers. This supports theories that the attack could not have been conducted without access to the company’s own tools and employee privileges. It is still not clear whether the employees’ account have been attacked or if the attackers have bribed the employees and then use their tools. So far, Twitter has confirmed that employee tools were used in the hack, but no theory as to how hackers might have gotten access. It is estimated that the wallet in the tweets received more than 100.000$. It has been reported that numerous underground hacking circles have been sharing screenshots of an internal Twitter administration tool allegedly used to take over the high-profile verified accounts. Twitter is now removing images of the screenshot from its platform and in some cases the underlying problem is the large amount of unnecessary privileges granted to administrative accounts. It is well known that these accounts are a target of privilege escalations due to the power they have on resource and system management. Minimizing these privileges, requiring strong authentication when using the privileges and logging the usage of these privileges are important controls to minimize impacts and simplify a forensics analysis of an attack.
Updates 7/17/2020
According to post on Brian Kerb site:
“There are strong indications that this attack was perpetrated by individuals who’ve traditionally specialized in hijacking social media accounts via “SIM swapping,” an increasingly rampant form of crime that involves bribing, hacking or coercing employees at mobile phone and social media companies into providing access to a target’s account.”
SIM swapping is an insidious form of mobile phone fraud that is often used to steal large amounts of cryptocurrencies and other items of value from victims. All too frequently, the scam involves bribing or tricking employees at mobile phone stores into seizing control of the target’s phone number and diverting all texts and phone calls to the attacker’s mobile device. Hence, this attack has been possible because of an insider, it remains to be seen if the insider works at Twitter or at a telephone company.
Links
https://www.theverge.com/2020/7/15/21326200/elon-musk-bill-gates-twitter-hack-bitcoin-scam-compromised
https://www.theverge.com/2020/7/15/21326656/twitter-hack-explanation-bitcoin-accounts-employee-tools
https://krebsonsecurity.com/2020/07/whos-behind-wednesdays-epic-twitter-hack/
