Posted on

Widespread Twitter attack – here’s how it played out.

Caution Twitter Hack and Crash

This is bad. Really bad.

It was pretty clear from the start that the hack against Twitter was more than a simple security breach of a handful of user accounts. The smash and grab was a widespread Twitter attack that struck celebrities, politicians, and billionaires including Bill Gates, Elon Musk, Jeff Bezos, Warren Buffett, Joe Biden, Barack Obama, Kayne West, Kim Kardashian West, Wiz Khalifa, YouTuber MrBeast, Mike Bloomberg, Binance and companies like Apple, Wendy’s, Uber, SashApp, Coinbase, and Ripple Cryptocurrencies. It began around 4:00 PM EDT when the compromised accounts began begging for bitcoin.

Widespread Twitter attack - here's how it played out

And yes, tweeters feel for it. Mr. Biden recieved well over $100,000 in bitcoin within hours.

It appeared as if the first accounts were minor celebrities or users that may not quickly catch on to the attack. Later, more prominent celebrities (“blue checked” accounts) were brought into the fold.

Widespread Twitter attack - here's how it played out

The media quickly places the blame on Twitter – and they were right

The media was quick to blame Twitter for lax security policies, and they did appear to be the most likely culprit, but third party social network schedulers could have also been blamed. A compromised Twitter admin account could be the culprit but because the attack easily bypassed 2FA, it was unclear how that could happen. Possibly the hackers penetrated much deeper into Twitter’s systems, i.e. the API level. Later, according to Twitter, the “official” explanation was revealed to be a targeted admin tool.

“We detected what we believe to be a coordinated social engineering attack by people who successfully targeted some of our employees with access to internal systems and tools,

We detected what we believe to be a coordinated social engineering attack by people who successfully targeted some of our employees with access to internal systems and tools. We know they used this access to take control of many highly-visible (including verified) accounts and Tweet on their behalf.”

Twitter

Lots of money quickly lost

And here’s where all the money went. Nearly 400 transactions quickly hit the Bitcoin account.

twitter hacker bitcoin account

And yes, this money is forever lost. Much of the Bitcoin was quickly transferred to other wallets.

Twitter toolset for sale

Shortly after the attacks, hackers on underground forums claim they paid a Twitter employee for access to an toolset that allowed them to change the email addresses of Twitter accounts. Screenshots of the tool appeared on Dark Web forums.

Twitter Admin tool used to hack/hijack prominent accounts
Twitter Admin tool used to hack/hijack prominent accounts

Twitter quickly removed any screenshots of the tool and suspended Twitter accounts that tweeted or re-tweeted it.

The Dark Web blames a Twitter employee

Dark Web forums also began placing blame on an ex-Twitter developer, suggesting the actions were due to a fallout with top leadership earlier this year.

But how could an admin tool bypass 2FA?

How an admin account could be used to compromise a Twitter account without triggering 2FA was still a question though. Later, we found the Twitter admin tool does *not* send a 2FA notification to the old email when an email is updated. Stupidly, it sends the notification to the *new* email address. Viola. Now we have it. Hackers used the admin tool to change the account’s email address, then used the 2FA email they received at the new email address to complete the process. But wait – later we found the Twitter admin tool can be used to revoke 2FA completely. They now own the account. Pretty dumb move on Twitter’s part.

This was confirmed when it was discovered that earlier on Wednesday, a hacker in an underground SIM swapping communities was selling hacks that provided the changing of any Twitter account’s email address. A user named “Chaewon” said in a thread titled “Pulling email for any Twitter/Taking Requests”, that they could change the email address tied to any Twitter account for just $250. For $3,000, they could provide direct access to the Twitter account.

https krebsonsecurity.com wp content uploads 2020 07 chaewon

The hack began earlier than originally thought

Compromised celebrity accounts were noticed quickly even though in some cases (e.g. Elon Musk), they remained compromised for hours before being shut down. However, it was later discovered that an OG account, @6, had been compromised a few hours earlier. Around the same time, @B was also hacked. The hacker began tweeting pictures of the Twitter internal admin tool.

Shortly after @6 was swiped, another Twitter account, @shinji (yes, this is the second account involved with a “eastern” looking name), began tweeting screenshots of Twitter’s internal tools, alone with a mysterious message: “follow @6”.

2020 07 17 8 33 18

It was rumored that @shinji was 21-year-old Joseph James Connor, a man from Liverpool, UK who was currently attending school in Spain. He goes by the handle @PlugWalkJoe and is believed to be responsible for last year’s Jack Dorsey attack. Turns out they got the location right but the hacker wrong.

A few days later, Twitter posted this update.

As we’ve been informing via the @TwitterSupport account, on Wednesday, July 15, 2020, we detected a security incident at Twitter and took immediate action. As we head into the weekend, we want to provide an overview of where we are.

In this post we summarize the situation as of July 17 at 8:35p Pacific Time. The following information is what we know as of today and may change as our investigation and outside investigations continue. Additionally, as the investigation of this incident is unfolding, there are some details — particularly around remediation — that we are not providing right now to protect the security of the effort. We will provide more details, where possible in the future, so that the community and our peers may learn and benefit from what happened.

What happened

At this time, we believe attackers targeted certain Twitter employees through a social engineering scheme. What does this mean? In this context, social engineering is the intentional manipulation of people into performing certain actions and divulging confidential information.

The attackers successfully manipulated a small number of employees and used their credentials to access Twitter’s internal systems, including getting through our two-factor protections. As of now, we know that they accessed tools only available to our internal support teams to target 130 Twitter accounts. For 45 of those accounts, the attackers were able to initiate a password reset, login to the account, and send Tweets. We are continuing our forensic review of all of the accounts to confirm all actions that may have been taken. In addition, we believe they may have attempted to sell some of the usernames.

For up to eight of the Twitter accounts involved, the attackers took the additional step of downloading the account’s information through our “Your Twitter Data” tool. This is a tool that is meant to provide an account owner with a summary of their Twitter account details and activity. We are reaching out directly to any account owner where we know this to be true. None of the eight were verified accounts.

Our actions

We became aware of the attackers’ action on Wednesday, and moved quickly to lock down and regain control of the compromised accounts. Our incident response team secured and revoked access to internal systems to prevent the attackers from further accessing our systems or the individual accounts. As mentioned above, we are deliberately limiting the detail we share on our remediation steps at this time to protect their effectiveness and will provide more technical details, where possible, in the future.

In addition to our efforts behind the scenes, shortly after we became aware of the ongoing situation, we took preemptive measures to restrict functionality for many accounts on Twitter – this included things like preventing them from Tweeting or changing passwords. We did this to prevent the attackers from further spreading their scam as well as to prevent them from being able to take control of any additional accounts while we were investigating. We also locked accounts where a password had been recently changed out of an abundance of caution. Late on Wednesday, we were able to return Tweeting functionality to many accounts, and as of today, have restored most of the accounts that were locked pending password changes for their owners.

We are continuing our investigation of this incident, working with law enforcement, and determining longer-term actions we should take to improve the security of our systems. We have multiple teams working around the clock focused on this and on keeping the people who use Twitter safe and informed.

What the attackers accessed

The most important question for people who use Twitter is likely — did the attackers see any of my private information? For the vast majority of people, we believe the answer is, no. For the 130 accounts that were targeted, here is what we know as of today.

Attackers were not able to view previous account passwords, as those are not stored in plain text or available through the tools used in the attack.
Attackers were able to view personal information including email addresses and phone numbers, which are displayed to some users of our internal support tools.
In cases where an account was taken over by the attacker, they may have been able to view additional information. Our forensic investigation of these activities is still ongoing.
We believe that for up to 36 of the 130 targeted accounts, the attackers accessed the DM inbox, including 1 elected official in the Netherlands. To date, we have no indication that any other former or current elected official had their DMs accessed. [Added on July 22, 2020]
We are actively working on communicating directly with the account-holders that were impacted.

Our next steps

As we head into the weekend and next week, we are focused on these core objectives:

Restoring access for all account owners who may still be locked out as a result of our remediation efforts.
Continuing our investigation of the incident and our cooperation with law enforcement.
Further securing our systems to prevent future attacks.
Rolling out additional company-wide training to guard against social engineering tactics to supplement the training employees receive during onboarding and ongoing phishing exercises throughout the year.
Through all of this, we also begin the long work of rebuilding trust with the people who use and depend on Twitter.

We’re acutely aware of our responsibilities to the people who use our service and to society more generally. We’re embarrassed, we’re disappointed, and more than anything, we’re sorry. We know that we must work to regain your trust, and we will support all efforts to bring the perpetrators to justice. We hope that our openness and transparency throughout this process, and the steps and work we will take to safeguard against other attacks in the future, will be the start of making this right.

Twitter, July 18, 2020

A few weeks later, Twitter explained what really happened. A handful of employees were targeted in a spear phishing attack. So yeah, Twitter employees had a hand in the attack – but unknowingly. A tweet went out from Twitter with a synopsis of the attack.

“This attack relied on a significant and concerted attempt to mislead certain employees and exploit human vulnerabilities to gain access to our internal systems.

By obtaining employee credentials, they were able to target specific employees who had access to our account support tools. They then targeted 130 Twitter accounts – Tweeting from 45, accessing the DM inbox of 36, and downloading the Twitter Data of 7.”

Twitter tweet

Then on July 30, 2020, Twitter released this:

As our investigation continues, we’re sharing an update to answer some of the remaining questions based on what we’ve discovered to date. We will provide a more detailed technical report on what occurred at a later date given the ongoing law enforcement investigation and after we’ve completed work to further safeguard our service.

What we know now

The social engineering that occurred on July 15, 2020, targeted a small number of employees through a phone spear phishing attack. A successful attack required the attackers to obtain access to both our internal network as well as specific employee credentials that granted them access to our internal support tools. Not all of the employees that were initially targeted had permissions to use account management tools, but the attackers used their credentials to access our internal systems and gain information about our processes. This knowledge then enabled them to target additional employees who did have access to our account support tools. Using the credentials of employees with access to these tools, the attackers targeted 130 Twitter accounts, ultimately Tweeting from 45, accessing the DM inbox of 36, and downloading the Twitter Data of 7.

There has been concern following this incident around our tools and levels of employee access. To run our business, we have teams around the world that help with account support. Our teams use proprietary tools to help with a variety of support issues as well as to review content in line with The Twitter Rules and respond to reports. Access to these tools is strictly limited and is only granted for valid business reasons. We have zero tolerance for misuse of credentials or tools, actively monitor for misuse, regularly audit permissions, and take immediate action if anyone accesses account information without a valid business reason. While these tools, controls, and processes are constantly being updated and improved, we are taking a hard look at how we can make them even more sophisticated.

This attack relied on a significant and concerted attempt to mislead certain employees and exploit human vulnerabilities to gain access to our internal systems. This was a striking reminder of how important each person on our team is in protecting our service. We take that responsibility seriously and everyone at Twitter is committed to keeping your information safe.

We’ve communicated directly with the impacted account owners and worked to restore access to any accounts who may have been temporarily locked out during our remediation efforts. Our investigation is ongoing, and we are working with the appropriate authorities to ensure that the people responsible for this attack are identified.

What we’re doing to protect our service

Since the attack, we’ve significantly limited access to our internal tools and systems to ensure ongoing account security while we complete our investigation. As a result, some features (namely, accessing the Your Twitter Data download feature) and processes have been impacted. We will be slower to respond to account support needs, reported Tweets, and applications to our developer platform. We’re sorry for any delays this causes, but we believe it’s a necessary precaution as we make durable changes to our processes and tooling as a result of this incident. We will gradually resume our normal response times when we’re confident it’s safe to do so. Thank you for your patience as we work through this.

We’re always investing in increased security protocols, techniques and mechanisms – it’s how we work to stay ahead of threats as they evolve. Going forward, we’re accelerating several of our pre-existing security workstreams and improvements to our tools. We are also improving our methods for detecting and preventing inappropriate access to our internal systems and prioritizing security work across many of our teams. We will continue to organize ongoing company-wide phishing exercises throughout the year.

We will continue to share updates and precautionary steps we take so that others can learn from this, too. We recognize the trust you place in us, and are committing to earning it by continued open, honest and timely updates anytime an incident like this happens.

Twitter, July 30, 2020

A day later, multiple arrests were made in the case.