What Two Recent Cyber Attacks Can Teach Us: Twitter and COVID-19 Highlight What’s at Stake
By: Orhan Yildirim
2020 has been a rough year when it comes to the global health crisis, related economic challenges, and critical divisions in government as we head into an election season in the context of continued attacks on American democracy.
It has never, in history, been more important to protect what we connect – to protect intellectual property, to protect networks and systems, to protect individual privacy rights, and to protect our ability to live in a free and fair society.
Two major incidents occurred earlier this month, and they are still being dissected and deeply analyzed so we can understand what happened, why it happened, who was behind the attacks, and most of all – how we can avoid even more pervasive and harmful attacks in the future.
What can we learn from the Twitter and COVID-19 vaccine incidents and how can we respond – immediately and with great strength and precision?
Targeting the most influential public figures and celebrities on Twitter, hackers orchestrated a highly coordinated “social engineering-based attack” promoting a cryptocurrency scam. The most high-profile accounts were hacked using Twitter’s administrative tools, according to many experts.
Personal Twitter accounts hacked include those of Amazon CEO Jeff Bezos, Joe Biden, Tesla CEO Elon Musk, former President Barack Obama, Bill Gates, Warren Buffet, and others.
Apple and Uber’s Twitter accounts were also hacked.
Using SIM swapping, it is believed that the adversaries tricked, coerced, or bribed employees of their victims to gain access to privileged account credentials and administrative tools. Early indications reveal that hackers were able first to change the email address of each targeted account. Then, two-factor authentication was turned off so when an alert was sent of the account change it went to the hacker’s email address. With the targeted accounts under their control, hackers began promoting their cryptocurrency scam. While not all details of the attack have surfaced, expert accounts reveal that the hackers convinced a Twitter employee to help them hijack the accounts.
Most likely a credential-based attack, the theory was immediately accepted by the cybersecurity community given that 80% of today’s data breaches go back to privilege access abuse. Put simply, somebody was able to leverage a compromised credential to enter into the Twitter environment and take over accounts. Twitter confirmed within days this was caused by an insider.
The 2019 Verizon Insider Threat Report defines five insider threats based on data breach scenarios:
- The Careless Worker
- The Inside Agent
- The Disgruntled Employee
- The Malicious Insider
- The Feckless Third-Party
Regardless of which category Twitter will eventually reveal after a full investigation, one huge irony last week, when the Twitter attack was immediately followed by the COVID-19 vaccine reporting, with the pandemic and related economic hardships, the risk of insider threats is growing, as furloughs or layoffs may tempt employees to participate in schemes like this.
What are we continuing to learn?
Organizations must rethink the way that they have structured their cybersecurity posture, and ensure PAM is at the FRONT LINE of their security policies. The Twitter attack taught us and will continue to prove that no traditional technology “breach” like phishing, originally posited as the theory behind the attacks, is required. It was just a matter of finding the right person with the right privileges and paying them to do post 25 tweets to 25 of the world’s most famous Twitter accounts, in a matter of minutes.
Look for Twitter to dramatically shore up their PAM posture and other security measures after taking a devastating hit this month.
The COVID-19 vaccine breaches are “next level.”
According to the NCSC, state-sponsored hackers are actively targeting organizations involved with the development of a COVID-19 vaccine. Their report says threat group APT29, which has been named “Cozy Bear” and is believed to be associated with Russian intelligence, has been targeting UK, US, and Canadian vaccine research and development organizations.
Paul Chichester, director of operations at the NCSC, condemned the attacks, calling them “despicable” and working against those doing vital work to combat the coronavirus pandemic.
“Working with our allies, the NCSC is committed to protecting our most critical assets and our top priority at this time is to protect the health sector,” he said. “We would urge organizations to familiarize themselves with the advice we have published to help defend their networks.”
Like Twitter, the issue is privileged credentials. But unlike Twitter, the adversaries are using much more sophisticated technologies to obtain authentication credentials to access systems. “In recent attacks targeting COVID-19 vaccine research and development, the group conducted basic vulnerability scanning against specific external IP addresses owned by the organizations,” the NCSC reported. “The group then deployed public exploits against the vulnerable services identified.”
The NCSC has been supported by partners at the Canadian Communication Security Establishment (CSE), the US Department for Homeland Security (DHS) Cybersecurity Infrastructure Security Agency (CISA), and the National Security Agency (NSA).
COVID-19 is an existential threat to every individual, family, community, and government in the world, which makes these reports even more shocking. Reporting is not new – there have been significant COVID-related targeting of governments happening since January of this year.
In this case, what we are learning is that regardless of how privileged credentials are being compromised, every single business, enterprise, government agency, healthcare organization, social media company, and more must – immediately – put in place PAM software that works in our hyperconnected world – that protects clouds, networks, applications, and all of the pieces associated with our digitally driven world.
We are also learning that the consequences of not immediately implementing measures can not only be costly to brand reputations but can literally cost arguably millions of lives.
Cloud CRM Leader Pega Taps Ironsphere to Enhance AWS Security with Privileged Access Management Software
Cloud-based Customer Relationship Management applications that are hosted on a private, public, hybrid or multi-cloud system, otherwise known as Cloud CRM, have many obvious advantages. When the data, application and related services are stored and accessed securely, especially given the dramatic shift to Work From Home (WFH) models, businesses can continue to work productively, ensuring sales, marketing, finance, legal, contact center agents and others can retrieve and interact with information from any location.read more
Last month, Pega released results of a survey that revealed most businesses overestimated their digital readiness to adapt to the COVID-19 health and financial crisis.read more
We have announced the success of a project we have been developing with Pegasystems, Inc., a growing, global Cloud software and services provider. Pega, whose mission is to empower digital transformation at the world’s leading enterprises, selected Ironsphere’s Privileged Access Management (PAM) software to further secure its Amazon Web Services (AWS)-hosted CRM as-a-service offerings.read more