Morey Haber, CTO and CISO for BeyondTrust comments on the attack on Twitter verified accounts, identifying it used a classic spear phishing attack technique to allow threat actors into the Twitter environment and access to specialised administrative tools that have unrestricted access to accounts. While the attack itself is not special, nor some elaborate zero-day threat, the ramifications of personnel within Twitter having such tools and access to highly profile accounts is a serious concern. Consider the following:
- How did Twitter secure a tool that has unencrypted access to high profile accounts?
- Why does such a tool exist that allows postings by a third-party to a verified account?
- What other access did the threat actors have to the high-profile accounts including their profile, account information, and even direct messages?
- Why didn’t their security solutions detect third-party access to verified accounts by an internal resource?
- With the announcement of Twitter allowing users to work from home, how are they going to safeguard these tools from future remote access attacks?
- Was the phishing attack on the user using single factor or multi factor authentication?
- Does the tool only work in the Twitter environment, or were the threat actors able to exfiltrate it for a future attacks and reserve engineer its operations?
- What authentication and authorisation model is applied to the tool in question?
- What steps and processes are being implemented to prevent this type of attack in the future?
These are just a few questions that will need to be answered in the next few weeks and Twitter will need to respond appropriately in order to safeguard their users, data, and ensure the integrity of their platform.