Late on Thursday, July 30th, Twitter posted an update to its investigation of the incident involving the takeover of high-profile accounts. Attackers targeted Twitter employees using voice phishing, known as “Vishing,” to trick employees into sharing their credentials to access the internal network of Twitter. The attack first targeted Twitter employees who did not have access to sensitive software tools needed to control accounts, and then used those accounts to find information needed to target other employees who had a higher level of access. Further phone-based phishing of those employees succeeded in gaining their credentials and access to Twitter software tools that were used to reset the passwords and change recovery email addresses for Twitter user accounts. The attackers targeted 130 Twitter accounts, tweeted from 45, accessed the direct messages of 36, and downloaded the Twitter Data of 7. Twitter said that it is in the process of changing policies and security controls to better protect access to sensitive internal tools in the future.
Twitter did not reveal whether the attackers had to trick employees into giving up only passwords or if their accounts were also protected with Multi-Factor Authentication (MFA). Implementing MFA, even for accounts accessed from an internal network, makes it much more difficult for attackers to gain control. Attacks that target employees through social engineering, whether it involves email, phone calls, USB drives sent through the mail, or even in-person entries into company properties can be just as devastating as a trusted insider going rogue or bribes paid to employees to participate in a coordinated scheme. The best security controls to help detect and quickly stop the damage from such insider attacks include detailed auditing and role-based behavior anomaly detection, as well as reporting from vigilant employees who are trained to recognize and report suspicious behavior. Using security monitoring systems that build a baseline for what employees in particular roles usually do and then alerts on abnormal patterns of access or use of applications can go a long way to recognize and investigate potential attacks in the early stages.
The Twitter blog posts about the incident can be found here: https://blog.twitter.com/en_us/topics/company/2020/an-update-on-our-security-incident.html