The recent hack of Twitter demonstrates how the hacking community targets high-profile users on high-profile networks not only for fraud, but also for attacks on their privacy and attacks aimed at “piggybacking” off their identity and celebrity. While the identity of the hackers is still under active investigation, there are a few things we know (and more that we suspect) about how and why the hack occurred.
And part of the problem is COVID-19.
Hackers typically will use multiple tools and techniques to attempt to obtain unauthorized access to user accounts. Depending on their degree of knowledge and sophistication this can include sophisticated malware, reconnaissance, or just plain old social engineering. the most successful attacks however, rely on a combination of all of these techniques. That appears to be what occurred in the attack on Twitter, and is occurring in a prolific campaign against a number of companies now after that hack.
What the hackers are after, and what they are often successful in obtaining, are administrative credentials to the corporate infrastructure that allows them to take over the account of high-value users. By accessing these administrative tools, the hackers were able not only to see personal information on user accounts, but to effectively take them over and either clear out funds, or piggyback on the celebrity of high-profile users to perpetrate some rather mundane fraud schemes. As these employee takeover schemes mature, these high profile account takeovers could theoretically lead to things like stock manipulation, election fraud, or, in a pinch, World War 3.
How did they do it?
The critical component of obtaining access to these accounts- whether it’s a Twitter user or a telephone customer’s account- attackers can use a mix of publicly available data, including public social media profiles, leaked private data such as social security numbers, and simple social engineering skills to trick an employee into either giving over access to their account or access to tools by which the attacker can access their account. That appears to be what happened in the case of Twitter, has been the case for ongoing campaigns against telcos prior to the Twitter hack, and is the case for new companies being targeted in the same manner after the Twitter hack.
The first step was for the attackers to do some fairly sophisticated reconnaissance on their target. Really, they had two targets. The first are employees with access to administrative credentials to control accounts. The second and ultimate target, would be the high value users themselves.
But at the center of this effective social engineering attack are the employees. The attackers were specifically interested in individuals in customer service or tech support roles. The hackers would engage in reconnaissance against these employees, and obtain as much personal information they could. Most critically was the information concerning their employment. Things like their home phone numbers, their cell phone numbers, and the date they started employment. The goal of attaining this information was to “round trip” this information. Pull it off social media sites like LinkedIn, and enrich that with tools typically used by recruiters to look for employees or prospective employees, and then use that data as a weapon.
The role of covid-19
What made this scheme particularly effective what’s the fact that, due to Covid-19, most companies across the globe rapidly shifted many of their employees to work from home. Not only does this mean that employees may be more likely to use personal devices, but they don’t have the degree of controls and access restrictions that the corporate computers might have, and that they’re connected through unprotected gateways at home. On top of that, these remote connections may rely on hastily set up VPN services, which may not have been thoroughly audited and where every employee needs an account with full access, immediately. Most importantly, though, employees working from home are more vulnerable to certain kinds of social engineering attacks. For example, when in the office, employees can see each other face-to-face, and authenticating each other isn’t a problem. But as they migrated to working remotely, they rely more heavily on their home phone (remember home phones?) or more typically their cell phone.
The hackers, recognizing the nature of remote working, were able to, through reconnaissance, learn the cell phone numbers of the employees they were targeting. This, coupled with the other personal information they were able to obtain, allowed them to take advantage of lowered situational awareness due to remote work, and gain the confidence of the targeted employee.
The hacker would then call the employee (sometimes spoofing their phone number to appear more legitimate) and direct them to a phish page mimicking an internal VPN portal belonging to the targeted company. This part is easy because domain registrars will not prevent the registration of obvious phishing websites, and defensive tools remain ill equipped to detect brand new domain registrations that are obviously criminal. The target would be told to log into the “internal” corporate website which was really managed by the hacker. The employee would be prompted to enter their corporate user ID and password. that user ID and password would of course now be intercepted by the hacker.
But wait! In order to access the VPN, the legitimate employee was required to have multi-factor Authentication. Typically a user ID, a password, and then a pin which would only be sent to their secure cell phone. But as the victim was logging into the phish page and giving up their credentials and time-sensitive one-time-password, the hacker was simultaneously entering the same information on to the real corporate VPN. When the corporate VPN asks for a user ID and password, it would send the pin back to the employee. The employee did exactly what they were trained to do. They would put in the pin, the multi-factor authentication was passed to the hackers website and the hacker can capture that pin and enter it into their own access to the VPN. Multi-factor Authentication, defeated!
The scheme worked in part because it took advantage of the fact that employees working from home were more willing to trust telephone calls they received on their cell phones which appear to be coming from someone within their employers domain. The fundamental principle of social engineering is to attempt to obtain trust. And thanks to the covid-19 pandemic, these employees can’t see each other face to face, and this results in lowered situational awareness.
I’m in. Now what?
One of the most initially puzzling things about the Twitter hackers were the pattern of users they targeted. This was no ordinary hack. The hackers simply did not target the sorts of accounts that you and I might consider to be “high value”. They had their own ideas of what constituted value.
The OG Community has used tools and techniques almost identical to these for many years in furtherance of their efforts to engage in SIM swapping. That is, taking over individuals’ cell phone accounts via targeted attacks against employees, including bribery, corruption, and good old fashioned trickery.
But as telephone companies have become more sophisticated in their efforts to prevent SIM swapping, the OG community has increased their own sophistication in response. And in recent months as SIM swapping has become almost impossibly difficult against certain telcos, some of these attackers have moved on to other targets. The world is simply not ready for an attacker group which has become highly “trained” by years of cat-and-mouse against defenders. In the days after the runaway success of the Twitter hack, the attackers have learned that the world is full of soft targets and the volume of new domain registrations to perpetuate VPN phishing has exploded. Missing from this picture is any legal deterrence against participating in these fraud operations, as the few actors who have been arrested have typically resumed their fraud activity as soon as they could get out on bail.
Not only have they expanded the targets that they go after, attempting to cash out high value users on various services, the OG community also takes the personal information visible to employee tools and sells it, shares it, or uses it to perpetrate other fraud schemes. So the same tools and techniques that are used to form the Twitter hack and the same information obtained can then be used to facilitate other attacks on other networks and attacks by a wide variety of sophisticated actor groups(including foreign adversaries, APT, and nation states), and these leaks may be extremely difficult to detect, especially when no companies currently offer transparency into “employee lookups against your account”.
It’s a vicious circle.
What can you do?
Covid-19 isn’t going away anytime soon, and we won’t be returning to in-person authentication for a long time. For a service provider, the most straightforward way to prevent against this hack is to use hardware or certificate checks to ensure that stolen credentials alone aren’t useful to get in. To prevent against future hacks, it’s important for companies to be aware of the shifting techniques used in the hacker communities. This means being involved in threat intelligence, gathering information about what threat actors are doing, sharing information back with other targeted companies, and staying up to date on what everyone else is seeing. You need to rely on individuals who watch the criminal community. Those who understand how it works and a variety of personalities involved.
And if you encounter highly sophisticated Western based actors, sometimes you just need to go for the arrest.