Twitter's acknowledgement that a "coordinated social engineering campaign" involving multiple employees was behind a hack of prominent verified accounts raises significant questions as to whether business organizations are implementing effective security controls that limit potential insider threats' access to back-end administrative tools.
The hacking incident — which promoted a cryptocurrency scam and victimized the accounts of Joe Biden, Barack Obama, Elon Musk, Bill Gates, Jeff Bezos, Apple, Uber and more — also raises concerns that a future attack could have even more serious ramifications, and perhaps even cause a national security scare, as social media evolves into a core component of U.S. communications infrastructure.
Spotlight on Access Management and Controls
While Twitter hasn't confirmed the details of the social engineering plot, reports suggest that hackers may have paid employees to help compromise the accounts, possibly by changing the email addresses linked with them so the malicious actors could take them over. Reports also indicate that the hackers had either direct or indirect access to back-end employee administrative tools that enabled the account takeovers (ATO) and the subsequent fraudulent postings to occur.
It also remains a possibility that the employees were simply duped by the adversaries into giving up highly privileged credentials in a more classic phishing attack. But in either scenario, better security controls and awareness are needed, suggest experts.
"Access management as a vulnerability is sort of understandable for a small business that is up in your local strip mall. [But] a compromise of access management for a company like Twitter is unacceptable," said Kiersten Todt, president and managing partner of risk management firm Liberty Group Ventures, and managing director of The Cyber Readiness Institute. "This is a technology company that is grounded in the security of access to its users... So there have to be protocols in place that are so stringent."
Indeed, as the investigation into the incident continues, the Twitter-using public will likely learn the extent to which employees were granted access to verified accounts, how many were compromised by outsiders, and what protections were and were not in place to stop rogue individuals from committing such acts.
"Twitter needs to ask itself a series of questions," said Matt Radolec, director of security architecture and incident response at Varonis. "What are our most important applications? Who has back-end access to them? How is that back-end access governed/monitored? Are there any internal audit checks in place to make sure administrators are only utilizing their access for legitimate purposes? Is a log of access kept and reviewed? Are personnel monitoring/checking these logs?"
Dhananjay "DJ" Sampath, co-founder and CEO at Armorblox, concurred that a key issue at play is a "lack of appropriate controls around the admin view or... 'god mode' operations. If an internal team member can access the admin console and tweet as anyone, it needs to be guarded like nuclear launch codes."
"Twitter’s employees having access to this admin console and not having security controls that prevent this, is a broader conversation of security culture within the org," Sampath continued. "If this were to happen to our emails instead of our Twitter accounts, it could be very dangerous."
Marc Rogers, executive director, cybersecurity at Okta, said that while "god tools" are "often necessary to properly support customers, they should be treated as extremely sensitive with both access and authorization to them strictly controlled."
Or better yet, said Sampath: "Don’t build god mode or admin consoles" with such powerful capabilities in the first place. "It’s easy to do this when you are a small company catering to a few, but when the platform gains importance the way twitter has, it becomes necessary to go back and burn those capabilities to the ground," he said.
Todt said Twitter will need to conduct an internal assessment to understand what security gaps allowed this incident to transpire, and then implement the proper controls and tools to plug them.
"I would expect large tech companies to have systems in place that make these kinds of attacks difficult -- from continual access and authorization validation mechanisms such as found in so-called zero-trust architectures, to filters, logging, and audit mechanisms that generate alerts on abuse," said Rogers. "Finally, I would expect them to compartmentalize access to sensitive tools or infrastructure, and train employees to recognize these sorts of attacks and what to do when they see them."
Another particularly crucial step will be more tightly monitoring workers with privileged access to back-end systems.
"Those people should be vetted and should be looked at on a regular basis, particularly when they have the access to these types of user accounts," said Todt, who suggested a quarterly risk assessment of these employees to look for behavioral red flags that suggest a worker may be disgruntled or getting paid off.
Additionally, she said Twitter must consider "limiting the number of people that have that access" to key systems and then introducing "the strongest access management, identity and authentication infrastructure you possibly can have, and making sure that's current and up to date..."
"The Twitter incident highlights how critical it is for organizations to place employees with privileged or high-impact access under intense scrutiny," agreed Radolec. "This was the first opportunity to identify the attack. It’s possible that Twitter did not have monitoring in place on these users, and would have caused them to miss vital clues that could have tipped them off to an attack. Maybe the user wasn’t connecting in from their typical place, performing typical actions, or utilizing internal resources as they would normally. Did Twitter know these users would be targets? Probably not, but they should have assessed risk to these critical systems long before the attack unfolded."
This leads to another question, said Radolec. "Should any one person should be able to carry out all these actions on their own?"
With that in mind, Radolec suggested companies implement that separate responsibilities and duties so that certain actions -- like resetting an account for instance -- require more than one person to approve. (Think of the two-man rule submarine crews use before launching a missile.) That way, there is no single point of failure.
Radolec also recommended a zero-trust or trust-but-verify system on all admin-level activity, and implementing AI-based behavior monitoring systems.
If the Twitter employees weren't deliberately malicious, but simply fell prey to a more standard phishing attack that tricked them into giving up their credentials, then more proactive employee training could have helped, said Logan Kipp, director of sales engineering at SiteLock. “Employees are often the first line of defense and if they don’t know how to spot common attack methods like spear phishing, smishing and whaling, hackers will be quick to take advantage," he said.
"These companies have to have human behavior so figured out and so rigid about [conducting] the training and the education around it," Todt asserted.
A more serious threat than meets the eye?
While on the surface the Twitter hack appears to have been an advance fee scam, there could be more to it. Reports speculate that the attackers also could have stolen Twitter account-holders' private messages, which could potentially be used for extortion or cyber espionage. And that fact that one of the verified accounts belongs to presidential candidate Joe Biden stirs up bad memories of Russian threat actors hacking Hillary Clinton's campaign and the Democratic National Committee in 2016.
"We can't rule out the possibility of this being a nation-state group who is using the cryptocurrency scam posts as a deception or distraction from something deeper," said Tarik Saleh, senior security engineer and malware researcher at DomainTools. "It is extremely unlikely that these hijacked Twitter accounts were only used, in a small window of time, to just spread a cryptocurrency scam."
"We can, and should, expect this attack group to take full advantage of their admin-level access to Twitter's platform and assume that these impacted accounts also had their private direct messages stolen," Saleh continued. "Private message data can potentially have a huge impact on extorting those individuals or contain other highly personal or sensitive secrets."
One prominent Twitter user who was conspicuously not victimized in the attack was President Donald Trump. But considering his propensity for tweeting, some experts warn that an account takeover affecting the president, or other authority figures for that matter, could even constitute a national security threat.
For instance, "Instead of using these accounts to push an obvious scam message, these accounts could have pushed messages to cause massive economic and social damages especially with Covid-19 global pandemic," said Saleh.
In an open letter, Sen. Josh Hawley, R-Mo., urged Twitter to collaborate with federal law enforcement and "take any necessary measures to secure the site before this breach expands," and also inquired if the president's account was ever in jeopardy. Meanwhile, Senator Ron Wyden, D-Ore., in a statement reportedly criticized Twitter for not implementing end-to-end encryption to protect direct messages that may contain users' sensitive information.
Todt went as far as to say label social media a "part of critical infrastructure" that communicates important information to the world. "And it is a reminder that we as a government in the United States have fallen way short in collaborating and working with the tech sector, specifically social media, on creating privacy and security standards and guidelines for their platforms."
To address these issues, Todt said it may even be time to look at Section 230 of the federal Communications Decency Act, which protects social media platforms and other providers of provider interactive computer service from liability related to hosting published speech that was created and posted by a third party. Todt said a revision of Section 230 "would certainly put some stronger guardrails, standards around security and privacy and responsibility of those companies to look at this."