Hello. Today I just wanted to take a few moments to share a few initial thoughts on the recent, brazen Twitter Breach
The Twitter Breach
As we all know, on July 15, 2020, hackers successfully breached security at Twitter and hacked the Twitter accounts of some of the world's most powerful and wealthiest people including Bill Gates, Jeff Bezos, Elon Musk, Barack Obama, Michael Bloomberg and others, as well as those of some of the world's top companies including Apple and Uber.
As we all know, from world leaders to business tycoons, and from government agencies to multi-billion $ corporations, literally everyone's on Twitter, tweeting their thoughts and opinions away.
Given the role that Twitter has come to play in politics, national security, business and the national and global discourse, the ramifications of such a brazen security breach, and its mere possibility, should be extremely concerning, and merit the highest scrutiny.
What Likely Happened
As brazen and alarming as it is, from a technical standpoint, it appears to have been rather unsophisticated.
Shortly after the breach, Twitter issued the following statement -
"We detected what we believe to be a coordinated social engineering attack by people who successfully targeted some of our employees with access to internal systems and tools."
Simply stated, here's what likely happened - in all likelihood, an internal corporate account of a Twitter employee who likely had some form of "privileged access" to an internal "admin tool" that could be used to manage Twitter accounts, was either compromised by using social engineering, or this individual was complicit in the hack, and essentially that one account was used to then take over a specific set of notable Twitter accounts and send a Tweet out.
For non-tech savvy folks, online writeups such as this one on Forbes or this one on TechCrunch may sound "wow", but for tech-savvy folks, this was simply a matter of someone gaining unauthorized access to an account that sufficient "privileged access" to an internal tool, and then exploiting that unauthorized access to accomplish a malicious objective.
In short, unlike most breaches, in the Twitter hack, hackers may not even have had a need to even try to compromise all-powerful privileged users who have unrestricted privileged access aka Active Directory privileged user accounts.
In the Twitter hack, all it seems to have taken is compromising a single account that just enough "privileged access" to be able to use an internal "admin tool" to manage Twitter accounts.
Pretty straight-forward and unsophisticated.
An Amateur Job
Perhaps the most amusing / confounding part of the Twitter breach seems to be that, on one hand the perpetrators had clearly demonstrated sufficient capability so as to be able to take over numerous high-profile Twitter accounts, on the other hand their intentions were simply to pull off a banal scam.
That likely indicates that whoever carried out this breach was not too savvy at all. For them to have believed that their little shenanigan wouldn't get almost immediately noticed and put to an end within minutes, only proves this further.
After all, if financial gain were their motive, one could easily have likely made millions, if not billions, just by tweeting one infactual statement from any one of these compromised accounts.
For instance, a simple "Tesla's stock is too high (again ;-))" tweet purportedly from Elon Musk's Twitter account would have caused someone who would have shorted Tesla stock (TSLA) to likely make millions within minutes.
Similarly, a simple tweet purportedly from Bill Gates' Twitter account saying "I've decided to sell all my Microsoft stock as I'm not happy with the new (substantially) privacy-invasive Microsoft" would've likely caused a sell-off in MSFT shares.
Likewise, a simple tweet purportedly from former President Barack Obama's account saying "I'll be voting for Trump because he's doing a great job at handling COVID-19. #MAGA" would have caused all kinds of mayhem in the world. ;-)
On a lighter note, a tweet purportedly from the wealthiest person on the planet, Jeff Bezos saying "During this crisis, I'm donating a million $ to help people in need" would've caused millions of struggling people to enjoy a light-hearted laugh :-)
You get the drift - the amount of financial and political damage that could have been inflicted was massive.
But none of that happened.
Instead these hackers at best attempted a banal scam that would only have worked on the most gullible of people on Twitter, demonstrating that their scam prowess is no match for their technical prowess, which in turn is no match for the prowess of real, professional hackers.
In short, this seemed like a pretty amateur job, which too is actually frightening because if amateurs could pull off such a breach, just imagine what professionals could pull off vis-à-vis being able to hijack Twitter accounts.
Was a Privileged Account Compromised?
According to an article on Forbes, titled Dissecting The Twitter Hack With A Cybersecurity Evangelist, when the article's author asked a (supposed) industry expert "what did you believe would cause such a massive hack," that expert's answer was "most likely a credential-based attack, because 80% of today's data breaches go back to privilege access use."
The expert continued "When performing reconnaissance, hackers commonly try to identify regular IT schedules, security measures, network traffic flows and scan the entire IT environment to gain an accurate picture of the network resources, privileged accounts and services. Domain controllers, Active Directory and servers are prime reconnaissance targets to hunt for additional privileged credentials and privileged access."
These days everyone seems to be an "expert" and whilst that statement is generally true, in Twitter's case, I don't think the hackers had to work that hard at all to pull off this brazen breach, which lays bare society's increasing ridiculous and frail dependence on Social Media.
While on the subject of breaches and the role of privileged access in most of them, here's something to think about -
- Fact - Almost all major recent cyber security breaches including JP Morgan, Sony Hack, Target, Snowden, the OPM Breach, Anthem, Avast, the United Nations breach etc. involved the compromise and misuse of a single Active Directory privileged user account.
- Reason - Active Directory privileged user accounts are the crown jewels that hold the proverbial "Keys to the Kingdom," and have unrestricted access to just about everything, thus being most targeted and most prized.
- Situation - Today, at most organizations worldwide, likely no one in IT or in security has a clue as to exactly who has what privileged access in their Active Directory. We know this because over the last decade, thousands of organizations have requested our assistance (unsolicited) in making this paramount determination.
Twitter did later confirm that indeed, "The attackers successfully manipulated a small number of employees and used their credentials to access Twitter’s internal systems, including getting through our two-factor protections. As of now, we know that they accessed tools only available to our internal support teams to target 130 Twitter accounts."
A What if Scenario
Consider this. In all likelihood, like the rest of the world, even Twitter likely operates on Active Directory, which means that the entirety of their employee accounts are likely Active Directory accounts, each one having access to various aspects of Twitter's IT systems, so at least some of them obviously possess the ability to control the entirety of Twitter's over three hundred million accounts.
In a more sophisticated attack, such as the one that "expert" was alluding to, proficient hackers could gain privileged access in Active Directory, then perform simple reconnaissance to determine which Twitter employee's Active Directory account had sufficient access to control millions of accounts, and then they could have simply reset that Twitter's account's password to have an automated script run that could instantly and automatically grant full-control over the entirety of all three hundred million Twitter accounts to the hackers.
From that point on, the smartest hackers would basically just plant a backdoor designed to give them access to whatever account they wanted to, whenever they wanted it, and could use that access over time for substantial personal, financial, political or other gain.
This begs us a simple question - does Twitter know exactly how many Active Directory domain user accounts possess what level of privileged access in its foundational Active Directory?
A Wake-Up Call
The Twitter hack should be a massive wake-up call for all organizations worldwide, and here's why -
Like Twitter, 85% of organizations worldwide, including just about every organization you can think, including all Social Media, IT and tech companies, the entire Fortune 1000, and the entire U.S. government, all operate on Active Directory.
Consider this - if the mere compromise of a single internal account that merely had just enough "privileged access" to be able to manage an internal asset i.e. an admin tool that can be used to manage Twitter accounts, just think about how much damage the compromise if an internal account that possesses unrestricted privileged access in Active Directory could do.
I'll make it simple for you - the compromise of a single Active Directory privileged user account could instantly result in a massive, cyber security breach of gargantuan proportions, because the entirety of the organization's IT assets could be exposed to the risk of compromise.
There's an old saying - "the wise learn from others mistakes," and in that regard, wise organizations should consider this a wake-up call and very seriously consider accurately identifying, minimizing and then adequately protecting each and every one of their Active Directory privileged user accounts.
Conclusion
The Twitter breach may possibly be the simplest and clearest example yet of just how much damage could be caused, and how quickly so, were a single insider account with even limited privileged access, to be compromised by hackers.
As we saw, hackers were able to take over and tweet on behalf of some of the world's most powerful business and political individuals and organizations, merely by taking over one or more insider accounts that had minimal privileged access to an "admin tool."
Fortunately for the world, whoever carried out this attack seemed to be amateur, and as a result, their motivations seem to have been purely financial, and puny at that. Perhaps they deserve the 2020 Darwin awards for Stupidity.
The fact that someone was able to take over Twitter accounts though was rightly highly concerning and alarming, and by now the FBI is also investigating the breach ; in weeks to come, exact details of just how it all happened should emerge.
We can all learn from the Twitter breach - to reiterate, it showed us just how much damage can be done by someone who could compromise even one insider account with privileged access to likely merely one asset, and just how quickly so.
In light of it, consider then, just how much damage could be done by someone who were able to compromise an account that had privileged access to just about everything i.e. what they call an Active Directory privileged user account
After all, if you don't even know who has the "Keys to your Kingdom," how can you possibly protect your Kingdom?
Best wishes,
Sanjay.
CEO,
Paramount Defenses
PS: I find it amusing that while the Gartners, Forresters, Microsofts, CyberArks, BeyondTrusts, Centrifys etc. of the world tell the world's CISOs that "Privileged Access Management" (PAM) is very important, they all seem to conveniently forget to tell them that accurate "privileged account discovery" is actually the very first step in an organization's PAM journey ;-)
PS2: I've been trying to get a simple, message across to President Trump - this Tweet.
Perhaps someone could get it to over to him. Many thanks. Maybe I'll just give him a call.
No comments:
Post a Comment