Only hackers burning 0 days like it was a clearance sale
Imagine getting the keys to the Twitter realm – access to all the account management panels in the world. What would you do? You can get high value accounts and sell them on the black market. He could extract unimaginably valuable blackmail material from DMs. Or maybe he would wait until an event like the next election in the United States to launch an evil plan of some kind.
But if you are any type of experienced attacker, you wouldn’t be surprised by tweeting from the world’s largest accounts, for a bitcoin scam. Sure, some have postulated that cryptocurrency spam tweets were a distraction to something bigger going on in the background. Maybe the attackers have already done their sneaky things and are ready to do what’s called “burn your 0 day”.
And boy, did they burn that day perfectly good, hot, shiny and fast?
We detected what we believe to be a coordinated social engineering attack by people who successfully targeted some of our employees with access to internal tools and systems.
– Twitter Support (@TwitterSupport) July 16, 2020
Twitter’s troubling response five hours later was to do something few knew the company had the power to do: block all verified accounts around the world. Unfortunately, this is similar to discovering that there is a thief in your home because they started listening to music in their living room, and their answer is to turn off all the lights.
Except freezing the “blue checks” is actually worse, because many essential emergency services around the world use Twitter as a critical communication channel. Like the National Weather Service, it was suddenly unable to tweet the weather warnings.
The freezing of the account seemed to be a decision ruled by panic. Twitter seemed to have no idea what was happening or how to stop it. And wow, do we have questions about who, what, why and the future implications of all this?
Blue checks trying to communicate through retweets pic.twitter.com/FIbBmWH4j8
– Andrew Roth (@RothTheReporter) July 15, 2020
In a tweet thread posted during and after the hacking attack, Twitter wrote: “We detected what we believe to be a coordinated social engineering attack by people who successfully targeted some of our employees with access to internal tools and systems.” .
Freezing the verified account also affected the ability of those users to reset their passwords.
We know that they used this access to take control of many highly visible accounts (including verified ones) and tweet on their behalf. We are investigating what other malicious activity they may have performed or information they have accessed and will share more here when we have it.
– Twitter Support (@TwitterSupport) July 16, 2020
Twitter placed the thread in square brackets with a warning that its investigation is “ongoing.”
Don’t worry, rich celebrities will be fine
Compromised accounts included Jeff Bezos, Bill Gates, Elon Musk, Bill Gates, Barack Obama, Apple, Kanye West, Joe Biden, Uber, Mike Bloomberg, Floyd Mayweather, Wiz Khalifa, and others. Twitter updated its ongoing incident reporting support thread on Thursday night to indicate that 130 accounts were affected by the attack.
Based on what we now know, we believe that approximately 130 accounts were attacked by the attackers in some way as part of the incident. For a small subset of these accounts, attackers were able to gain control of the accounts and then send Tweets from those accounts.
– Twitter Support (@TwitterSupport) July 17, 2020
The problem is that the tweets seemed normal to anyone following Kanye or Elon Musk, who basically tweeted John McAfee-style craziness on a regular basis, and a significant number of people fell for the scam. As we reported yesterday, the ride equaled around $ 118,000 and “As of writing, all but $ 114 of that $ 118,000 has been transferred to other wallets.”
That’s a negligible amount of money, especially when, according to Glassdoor, the low end of what most engineers on Twitter earn $ 131,403 a year. This was an intrusion with enormous impact, extreme range potential and a large amount of damage.
You would assume that the attackers wanted more than what it takes to eat and sleep in poor areas of San Francisco. But once again, despite the attack starting with a slightly different bitcoin scam, the perpetrators went public immediately, guaranteeing that they would be discovered and closed immediately.
Of course, a very strong possibility is that the attackers were really bad at crime.
Many observers immediately assumed that these high-profile accounts must have lax security standards or not have both factors enabled. However, Reuters reported that “Several users with two-factor authentication, a security procedure that helps prevent intrusion attempts, said they had no power to stop it.”
Motherboard obtained anonymous comments from sources on Twitter who said the account acquisitions were made through access to an internal account management tool; Vice posted screenshots of the tool (while anyone on Twitter who posted the same screenshots was put in Twitter jail very quickly).
If Twitter was trying to stop the spread of those images, after all, this is the Internet. They spread quickly to news sites and forums. The prohibited screenshots of the hack revealed the presence of “blacklist” buttons on individual account pages. Many now want to know, is that evidence of shadows and blacklists that we see?
Twitter users working in and around human sexuality have argued for years that they are being “shadowed” by Twitter, the practice of silencing accounts by hiding them in various ways. Only recently have far-right conspiracy theorists co-opted the concept of shadowbanks to “play the [censorship] refs “in their favor. Twitter will now face direct questions that it has struggled to avoid facing head-on.
When contacted to comment on the “blacklist” buttons seen on account pages in Twitter’s compromised management tool, the company’s spokesman did not directly address the question. Instead, they said via email: “Since July 2018, we’ve made it clear that we don’t do shadowbanks.”
The representative from Twitter included a summary that includes the Twitter policy on inclusion and exclusion of Trends content, journalistic content, policy of exclusion of trends hashtags and search rules and restrictions.
A different source told Motherboard that the allegedly engaged Twitter employee was paid for his participation in the low-rent bitcoin scheme. “A Twitter spokesperson told Motherboard that the company is still investigating whether the employee hijacked the accounts or gave hackers access to the tool,” Vice wrote.
It turns out that having an unregulated cartoon crime coin and a policy carried out by the planetary internet chat room had some easily foreseeable drawbacks
– Pinboard (@Pinboard) July 16, 2020
Since the tool allowed account management, this confirmed early speculation that attackers not only had the ability to change account emails and reset passwords, but also gave them access to direct messages (DM ) of the target users. That’s an impressive problem, considering that many people, including celebrities and politicians, don’t understand that Twitter DMs aren’t protected with end-to-end encryption and aren’t particularly secure.
Senator Ed Markey (D-MA) addressed exactly that in a statement saying Twitter must fully disclose what happened and what it is doing to ensure that this never happens again. “This was in addition to Senator Josh Hawley (R -MO) fired an angry letter to Jack Dorsey, and Senator Ron Wyden (D-OR) issued a similar statement, adding, “This is a vulnerability that has lasted too long.”
Which is an interesting point to note, if the “vulnerability” in question was a paid employee, the vulnerability was human. That means that the attack was not necessarily as technical as it was a rather capital feat of social engineering. This is most likely a social engineering quid pro quo attack, where something is offered to human vulnerability in exchange for the access, information, or credentials the attacker wants.
It is also plausible that the attacker has used the pretext, where they pretend to be a person with a legitimate need for access, relying on the trust and credulity of the victim. (“No, I swear, really need go into that server’s closet. “) Another possibility would be bait, or a bait and switch where the attacker could trick an employee into inserting a malicious USB device or file into a computer to compromise it.
While this is certainly a big black eye for Twitter, what could be more interesting to explore is what the attack tells us about who did this and why. It’s something we’ll probably find out based on my colleague’s excellent point that Bitcoin isn’t really anonymous, and hiding the loot conversion trail isn’t trivial. Certainly not for the hackers who decided to turn what could have been the heist of the century into a clumsy bitcoin hit, and didn’t even ban a single Nazi in the process.