New details about the summer 2020 Twitter hack have emerged from an investigation conducted by the New York Department of Financial Services (NYDFS). Twitter itself had confirmed that social engineering was involved, but details about exactly how that unfolded were scanty and led to a great deal of speculation about the company’s internal security posture. The new report reveals that Twitter employees were tricked into visiting a phishing page that captured their VPN credentials, a technique that worked due to common technical issues with VPN networks at the time.
The Twitter hack of 2020: Taking advantage of unusual conditions, VPN credentials
The mid-July Twitter hack compromised the accounts of hundreds of high-profile users (such as Barack Obama and Elon Musk), with many of these accounts used to promote a Bitcoin scam after the attackers took them over. Verified “blue check” accounts were prevented from posting for several hours as the social media giant scrambled to lock down its internal network.
The NYDFS, which is responsible for regulating financial services products in the state, became involved due to its position as a banking and cryptocurrency cybersecurity watchdog for the numerous financial institutions based there. The agency also expressed concern about the potential for market manipulation given the relative ease with which these high-profile accounts appeared to be taken over; the report points to a 2013 loss of $136.5 billion of value on the S&P 500 in the moments following a breach of the Associated Press’s Twitter account and fake tweets about an attack on the White House.
The NYDFS report indicates that the attack unfolded over two days (July 14 and 15). The first step was the theft of internal credentials via social engineering, something that Twitter had previously confirmed but had not offered specific details about. It turns out that the attackers posed as members of the Twitter IT department, calling multiple employees on the phone looking for marks. They likely used LinkedIn and similar public sites to gather personal information about their targets in order to inspire confidence.
The attackers claimed that they were calling in response to an issue with VPN credentials not working, something that was common at all sorts of companies in the weeks following the Covid-prompted mass switchover to remote work. The hackers were able to convince several employees to visit a phishing page made up to look like the legitimate Twitter VPN website, registered to a very similar domain name. They entered the employee VPN credentials into the actual Twitter site in real time as they were captured, which generated a secondary multi-factor authentication request to the employee that they cleared for the hackers.
The first Twitter employee that was compromised did not have access to the internal administrative tools that allowed for taking over user accounts, but this account allowed the hackers to peruse the company’s intranet and learn who did. They then made another round of calls to targeted employees with the desired level of access, using the same VPN credentials scam as before.
Prior media reports have identified the hackers as a group of teenagers interested in taking over and selling valuable “OG” Twitter accounts, which the NYDFS report confirms. This portion of the attack unfolded in the morning hours of July 15. Around 2 PM on July 15, the attackers shifted to the much more public second phase of the plan in which celebrity accounts started tweeting crypto scams to their followers.
The report also confirms the damage total reported earlier: theft of about $118,000 in Bitcoin, 130 total Twitter accounts compromised, 45 of those used to tweet out crypto scam messages, and seven accounts that had the “Your Twitter Data” (YTD) tool abused to exfiltrate personal information. An interesting side note is that the successful YTD requests were for seven non-verified accounts; 52 further requests were made by the hackers but were denied due to a Twitter policy of manually following up to verify these requests.
Twitter was first clued into the attack on July 15 when some of the employees the hackers had targeted reported the suspicious phone calls to the incident response team. By 8:41 PM Twitter had removed the attacker’s access to the VPN credentials.
A cautionary tale, and concerns about the election
While the central vulnerability exploited in the Twitter hack was an unusual set of global circumstances that led to common problems with VPN credentials, the NYDFS report identifies a set of further systemic failings that are likely common at other organizations. These conditions could be exploited to reproduce the Twitter hack, potentially in a way that influences the 2020 election.
NYDFS identifies the problem as starting at the top, with no chief information security officer (CISO) present at Twitter since December 2019 and a general lack of senior-level engagement in cybersecurity.
Twitter was also lagging behind the threat actor world in securing its shift to remote work during the Covid pandemic. The opening to steal VPN credentials was created by the fact that Twitter employees were commonly experiencing legitimate VPN connection problems. Plenty of public information about employee personal identities and job roles was also sitting around both on the public internet and in the company’s intranet, which the attackers put to good use in the social engineering campaign. Anurag Kahol, CTO and co-founder of Bitglass, added some thoughts on why VPNs cannot be relied on as a comprehensive or permanent solution for remote work: “The infamous Twitter hack demonstrates how a lack of granular security and an overreliance on VPNs can be the downfall of any organization. Telecommuting, accessing corporate data via personal mobile devices, and cloud-first ecosystems have become the norm today. As a result, enterprises that wish to stay secure must rethink their security strategies and consider implementing context-aware solutions that can enforce granular policies based on users’ identities, locations, and devices, as well as the data and resources with which they are interacting. Twitter’s strategy of having users “VPN in” is not a long-term solution for remote work. VPNs introduce latency, hamper productivity, can be difficult to scale (especially for organizations as large as Twitter), and grant users full access to the network and everything on it – even if that level of access is not required for individuals to perform their work.”
At the beginning of the pandemic, NYDFS had issued guidance to the organizations it regulates about exactly these sort of security risks created by the mass shift to working remotely. NYDFS notes that the company had not implemented any new security controls in the time between this memo (issued in March) and the July Twitter hack. The report points out that Twitter lacked adequate internal authentication controls appropriate to a platform that could be used for massive public harm. The administrative tools that enabled the takeover of Twitter accounts were not protected by anything more than text message verification MFA; NYDFS believes the Twitter hack could have been thwarted by a hardware MFA policy or by requiring a second employee to verify high-level administrative actions.
The Twitter hack also prompted NYDFS to make several recommendations that are specific to cryptocurrency exchanges. It advises quickly blocking addresses known to be used by scammers, restricting transfers to pre-approved “safelisted” addresses (a process that asks those making the transfer to wait around 24 hours before a new transfer partner is whitelisted and able to receive money), to avoid running promotions and contests that resemble known scams, and to send out periodic educational messages to customers advising them of scam risks.
Perhaps the most interesting element is that the NYDFS calls for more regulation of social media platforms, an issue that has been in the news for various other reasons as of late. NYDFS says that no one existing agency has adequate power to uniformly regulate these platforms and that a new agency should be created that focuses on social media companies categorized as “systemically important” in terms of their potential risks to financial stability and democratic processes.