Activists, possibly supporting Turkey in its on-going diplomatic kerfuffle with The Netherlands, may have been behind the hack of a third-party Twitter service where login credentials were stolen, enabling the malicious actors to post anti-Dutch tweets associating the nation with the Nazis on hundreds of high-profile Twitter accounts.
Entry to the Twitter accounts was obtained when someone illegally gained access to the account permissions that were stored with Twitter Counter, an app that tracks Twitter stats for over 180 million users, Tripwire said. Some of the accounts involved were Forbes, Graham Cluley, Amnesty International and Justin Bieber. Twitter Counter stores the login permissions from its users, which were used by the hackers to take over the Twitter accounts bypassing Twitter's Login Verification feature on each account, Tripwire said.
The Nazi references were likely in response to Turkish President Recep Tayyip Erdoğan calling the Dutch Nazis after Holland prevented the Turkish foreign minister from entering the country to participate in a rally with Turkish ex-pats living in Holland. All were posted in Turkish on the hacked accounts and contained swastikas and called Dutch government officials Nazis.
This morning, an unauthorized party gained access to the Forbes account. We have regained control + deleted the posts.— Forbes (@Forbes) March 15, 2017
“Given the political nature of the tweets, it's not unreasonable to assume this was a state sponsored hack. The message delivered through this hack has received global attention that would likely not have been possible through any other method,” said Michael Patterson, CEO of Plixer International.
It was brought up by Gavin Millard, EMEA technical director at Tenable Network Security, that while annoying and disruptive the attack pales in comparison to other types of cyberattacks.
"This is the 'hacker' equivalent of writing graffiti on the bathroom wall, sometimes shocking and certainly worth a read when you've got nothing better to do, but it's not even in the same league as DDoS, much less a sophisticated cyber attack," he said.
Twitter Counter's website was “Temporarily down for Maintenance” as if noon Wednesday. SC Media was unable to contact the company to obtain additional comment on the incident.
“Anyone who's been affected by the hack, of which Twitter Counter is aware, should delete the offending tweets and consider revoking access to the third-party app. Just to be safe, they should also enable Login Verification and make sure their Twitter accounts are protected with a strong password,“ Tripwire recommended.
The fact that entry was made through a third-party vendor came as no surprise to most cybersecurity executives with all noting it's usually easier for a hacker to enter through a less secure partner than the target itself.
“It's not surprising that this happened. This is going to become the norm,” said RJ Gazarek, product manager at Thycotic, “Essentially, these third party accounts can be given nearly unrestricted access to your account, allowing them to post on your behalf. Any of these can serve as backdoors into twitter accounts, and I would be looking to Twitter to strengthen the transparency and protection of this access.
However, the vendors are not only to blame. Individuals who uses a social media platform have to understand and implement proper security measures and also realize that when they give their login credentials to a third-party vendor they are broadening their attack surface.
“Once again a 3rd party is used as an attack vector against a more robust arguably I know) system. In this situation, the root cause is deeper. We don't enable two-actor authentication as standard. We tend to recycle passwords. We don't pay attention to WHO and WHERE our data is. These are all major problems. Users need to enable two-factor authentication. They need to ensure password or passphrase complexity and uniqueness is in place and be careful who has access,” said Chris Roberts, chief security architect at Acalvio.