Cryptocurrency Fraud
,
Fraud Management & Cybercrime
,
Social Media
All Organizations That Use X Should Review Their Two-Factor Authentication Settings
When it comes to cybersecurity, nobody’s perfect, and that goes for cybersecurity organizations and the individuals comprising them.
See Also: Live Webinar | Integrating Splunk and Panther for Real-Time Alerting and Custom Dashboarding
That’s one takeaway from Google Cloud’s Mandiant incident response group, which blamed the Jan. 3 hijacking of one of its social media accounts on an attacker apparently having brute-force guessed the password for the account, which wasn’t being protected using two-factor authentication.
“We have finished our investigation into last week’s Mandiant X account takeover and determined it was likely a brute force password attack, limited to this single account,” Mandiant said in a Wednesday post to X, formerly known as Twitter.
After taking over the official @Mandiant account on X, the attacker posted messages containing “links to a cryptocurrency drainer phishing page,” said Mandiant’s Zach Riddle, Joe Dobson, Lukasz Lamparski and Stephen Eckels in a postmortem blog post published Wednesday.
Working with X, Mandiant regained control of the account and excised the attacker-added content.
“Normally, 2FA would have mitigated this, but due to some team transitions and a change in X’s 2FA policy, we were not adequately protected,” Mandiant tweeted. “We’ve made changes to our process to ensure this doesn’t happen again.”
Reading between the lines: Whoever was in charge of managing Mandiant’s social media account appears to have either left the organization or moved to a different role, and those responsibilities didn’t get handed off to someone else.
The change in X’s two-factor authentication policy apparently refers to nearly a year ago. Last February, X boss Elon Musk announced that what was then Twitter would no longer offer text or SMS-based two-factor authentication – only allowing an authenticator app or security key – unless a user paid for the Twitter Blue service, which is now known as X Premium.
“Non-Twitter Blue subscribers that are already enrolled will have 30 days to disable this method and enroll in another,” then-Twitter said, referring to 2FA. After March 21, 2023, Twitter warned that any free “accounts with text message 2FA still enabled will have it disabled.”
The change was a theoretical security improvement in the sense that SMS messages can be intercepted, especially via SIM hijacking or swapping. That’s why the U.S. National Institute of Standards and Technology in 2017 suggested deprecating the use of SMS for one-time codes. Authenticator apps and security keys are much more difficult to circumvent.
X/Twitter Security Blues
In practice, when Twitter deactivated 2FA via SMS for nonpaying accounts, that worsened security, simply because not all individuals or organizations using the social network received the “move or lose it” message.
Twitter’s change appears to have ultimately caught Mandiant by surprise. If losing 2FA due to Twitter’s turning it off was indeed the culprit, “then it’s one of the first higher-profile attacks I’ve heard of” that trace to this root cause, tweeted Rachel Tobac, CEO of SocialProof Security and chair of Women in Security and Privacy.
In early 2023, multiple security experts – including Tobac – criticized Twitter’s “no SMS for free accounts” move, saying it was sure to leave some users’ and organizations’ accounts inadvertently unprotected – or to drive perhaps less technologically advanced users to select no multifactor authentication, rather than an authenticator app or security key.
“It’s not right to de-enroll them in 2FA or make them pay for SMS 2FA,” Tobac said (see: Twitter to Charge for SMS Second-Factor Authentication).
Toby Lewis, head of threat analysis at Darktrace, also criticized the downgrade. “When the option to not have MFA at all is still available and the default, I’d rather any form of MFA than none at all – especially one that is instantly accessible to anyone with a mobile phone,” he said in a blog post.
Did the Change Snare the SEC?
Beyond Mandiant, another potential high-profile victim of Twitter deactivating 2FA via SMS for unpaid accounts may be the U.S. Securities and Exchange Commission. On Tuesday, the official @SECgov account on X was taken over and a fake post was issued claiming the agency had approved spot bitcoin exchange-traded funds.
The SEC said it had quickly curtailed “unauthorized access” to the X account and that it is working with the FBI to investigate. On Wednesday, the SEC did approve 11 spot bitcoin exchange-traded products.
The safety team at X reports that the official account lacked second-factor authentication. “We encourage all users to enable this extra layer of security,” the social network said, without making clear whether or not the lack of 2FA on the SEC account might have resulted from Twitter itself having deactivated SMS for free accounts.
Clearly, all organizations that still use X, formerly known as Twitter, need to audit their corporate accounts and ensure they’ve enabled 2FA. Otherwise, more password brute-forcing might be in their future.
Drainer Danger
In Mandiant’s case, an attacker used the X account to distribute messages pretending to be from legitimate services such as Phantom, DappRadar and Bonk, but which contained phishing links. These led to JavaScript malware given the codename Clinksink by Mandiant, which said the malware is designed to connect with wallets owned by users of Solana, aka SOL, cryptocurrency, which in recent months has been surging in value.
“Drainers are malicious scripts and smart contracts that actors can leverage to siphon funds and/or digital assets, such as non-fungible tokens from victims’ cryptocurrency wallets after they are tricked into approving transactions,” Mandiant said.
Many Clinksink attacks appear to be operated by a drainer-as-a-service group called Chick Drainer – potentially the same as or a crossover with the Rainbow Drainer group – although cybercrime chatter is that the source code for Clinksink has leaked, meaning other attackers may also be using it, Mandiant said.
In the case of Chick Drainer, “the operator(s) of this DaaS provide the drainer scripts to affiliates in exchange for a percentage of the stolen funds, typically around 20%,” Mandiant’s attack postmortem says. “We estimate the total value of assets stolen by affiliates in these recent campaigns to be at least $900,000.”