Throughout the evening, Critical Path Security was made aware of an attack on high-profile users of Twitter. This attack was used to facilitate the generation and collection of BitCoin and other cryptocurrency revenue.
At this time, all indications point to this attack being one of unauthorized access to an internal management toolkit. The screenshots of this toolkit are shown below.
What is undetermined at this time is if an internal employee was part of this attack. The following statements were made by the criminals to the Motherboard publication.
"We used a rep that literally done all the work for us," one of the sources told Motherboard. The second source added they paid the Twitter insider."
What is clear is the proper security around administrative tools at Twitter was insufficient for the risk they accepted by providing a social media platform to over 330 million accounts, including most of the 10 most wealthy people in the world.
Twitter later confirmed that the attack was caused by “a coordinated social engineering attack by people who successfully targeted some of our employees with access to internal systems and tools.”
Organizations worldwide should be reviewing the impact of their administrative tools and how the increase in Work From Home (WFH) activities has changed and often increased the attack surface for their organization.
As we've mentioned in many talks and presentations over the recent years, Insider Threats and Internal Malicious Users will always be a formidable threat to an organization's security posture. The ability to patch or upgrade the "HumanOS" is nearly impossible without continual security awareness training and ongoing development of administrative and technical security controls to prevent these sorts of attacks from occurring.
At this time, it does not appear that sensitive information has been harvested or leaked. That being said, with complete access to these accounts, it would be possible to collect personal conversations between affected parties and the sensitive information used to validate a legitimate user's access.