Fabrizio Baiardi

Fabrizio Baiardi

Fabrizio Baiardi is a Full Professor at Università di Pisa where he has chaired one of the first degree on security of ICT infrastructures. His main research interests are formal approaches to risk assessment and resilience of critical ICT infrastructures. Fabrizio Baiardi has been involved in the risk assessment and management of several systems and of industrial control systems with SCADA components. He has authored several papers on ICT security and currently teaches university courses on security related topics.

Least privilege strikes back at Twitter

An unprecedented attack on Wednesday occurred between 15th and 16th of July that resulted in numerous takeovers of high-profile accounts including those of President Barack Obama, Democratic candidate Joe Biden, and Tesla CEO Elon Musk. The attack is one of the most widespread and confounding hacks the platform has ever seen. Every tweet invited people to send money to a bitcoin wallet to support fight against the COVID-19 and offered to double the money sent. As an example, Elon Musk tweet was:

“I‘m feeling generous because of Covid-19. I’ll double any BTC payment sent to my BTC address for the next hour. Good luck, and stay safe out there!”

The tweet contained a bitcoin address associated with the hacker’s crypto wallet. The final goal was promoting a bitcoin scam that appears to be earning its creators quite a bit of money. In a series of tweets posted this evening under its support channel, Twitter acknowledged that numerous people appear to have been involved in the hacks, not just one individual, and also that numerous employees accounts and its internal systems were compromised by the hackers. This supports theories that the attack could not have been conducted without access to the company’s own tools and employee privileges. It is still not clear whether the employees’ account have been attacked or if the attackers have bribed the employees and then use their tools. So far, Twitter has confirmed that employee tools were used in the hack, but no theory as to how hackers might have gotten access. It is estimated that the wallet in the tweets received more than 100.000$. It has been reported that numerous underground hacking circles have been sharing screenshots of an internal Twitter administration tool allegedly used to take over the high-profile verified accounts. Twitter is now removing images of the screenshot from its platform and in some cases the underlying problem is the large amount of unnecessary privileges granted to administrative accounts. It is well known that these accounts are a target of privilege escalations due to the power they have on resource and system management. Minimizing these privileges, requiring strong authentication when using the privileges and logging the usage of these privileges are important controls to minimize impacts and simplify a forensics analysis of an attack.

Updates 7/17/2020
 According to post on Brian Kerb site:

“There are strong indications that this attack was perpetrated by individuals who’ve traditionally specialized in hijacking social media accounts via “SIM swapping,” an increasingly rampant form of crime that involves bribing, hacking or coercing employees at mobile phone and social media companies into providing access to a target’s account.”

SIM swapping is an insidious form of mobile phone fraud that is often used to steal large amounts of cryptocurrencies and other items of value from victims. All too frequently, the scam involves bribing or tricking employees at mobile phone stores into seizing control of the target’s phone number and diverting all texts and phone calls to the attacker’s mobile device. Hence, this attack has been possible because of an insider, it remains to be seen if the insider works at Twitter or at a telephone company.



More to explore

La startup Haruspex sbarca in Silicon Valley

L’azienda di cybersecurity spezzino-pisana è stata selezionata dal prestigioso programma “Global Startup Program” dell’Italian Trade Agency, a San Francisco. Per il momento il programma sarà svolto in virtuale dato il persistere delle limitazioni agli ingressi sul suolo statunitense.

Leave a Comment

Your email address will not be published. Required fields are marked *