Shulou(Shulou.com)05/31 Report--

Today, I will talk to you about how Twitter was hacked. Many people may not know much about it. In order to let you know more, Xiaobian summarized the following contents for you. I hope you can gain something according to this article.

I. Truth about the most serious security incident in Twitter history surfaced

Twitter's massive account intrusion is undoubtedly the most widely watched security incident to date.

Looking back on the incident less than a week ago: On July 15, a large number of Twitter opinion leaders, including former US President Barack Obama, Amazon CEO Bezos, Microsoft founder Bill Gates, Buffett, Musk and others, were stolen and suddenly sent bitcoin phishing tweets collectively to induce fans to transfer money to hackers 'bitcoin wallets. So far, the attacker's BTC account has received 12.865 bitcoins, about 800,000 yuan, and almost all of them have been transferred out.

The method and copy of fishing are very straightforward: trick fans into transferring money and promise to pay back twice. The reason why so many people took the bait was naturally the credit endorsement of various big V accounts. Next, let's focus on the crux of the incident, how these accounts were stolen collectively.

Shortly after the incident, Twitter Support account scrolling message said: preliminary determination that internal tools have been maliciously used. Many people wonder how Twitter employees can tweet directly using any user identity.

On July 18, Twitter released more details and preliminary findings about the massive account intrusion, lifting a corner of the veil of truth about the serious incident. We can get a key M.O. From our attacker:

Obviously, this is not a simple external network business security vulnerability, but a targeted hacker attack. The attackers used social engineering to target a number of specific Twitter employees, which means that the attackers could steal the identity credentials of this small group of Twitter employees (identity credentials such as account passwords, cookies, AccessTokens, SecretKeys, etc.), operate critical systems within Twitter as legitimate employees, and invoke internal tools that only Twitter's internal support department has access to, accessing information from 130 Twitter accounts. Attackers used internal tools to reset the passwords of at least 45 accounts, log in to the target account and send phishing tweets to complete the attack.

The investigation is still continuing, and judging from the current attack method, this can definitely be characterized as an APT attack incident. In this incident, we have reason to believe that the attacker has been lurking for a long time, which is also a typical attack path to steal legitimate identity and operate internal tools to achieve the purpose of intrusion.

As an equally well-known large Internet company, will Tencent face such security risks? The answer is yes, with huge digital assets, Tencent has been the target of many hackers in the real world. Attackers scan and infiltrate Tencent all the time, trying to invade, including APT advanced attackers like this Twitter incident.

In fact, Tencent Blue Army has already used similar attack techniques in many internal red-blue confrontation network security attack and defense exercises, simulating hackers 'APT attack methods and achieving attack targets. In the information security industry, the security team that tests the security of business systems by simulating real attack methods and specializes in attacks is called Red Team, which is called "Blue Army" in China.

If you were a hacker, how would you implement APT attacks?

Be prepared for danger in times of peace, think in another's place, if you are a hacker, how would you implement APT attack? This is also a question that Tencent Blue Army has been thinking about.

We generally divide intrusion behavior into two types, one is non-targeted weak intrusion, such as mining, spam, DDoS, etc. They are characterized by batch and automation, and the profit model is usually based on controlling large numbers of broilers to build botnets. Another type of intrusion is a targeted APT attack.

The full name of APT attack is Advanced Persistent Threat. Different from general "weak-choice intrusion," the characteristics of APT targeted attack determine that this is a targeted attack regardless of strength. Before the attack, hackers will collect a large amount of basic information about the attack target and formulate attack strategy. The Twitter example of "targeting specific employees" is also one of the common attack portals in APT. In addition to physical intrusions, supply chain attacks, attacks on online businesses, etc., there may be more real world attack portals than you think.

1. online asset

Online assets are among the first targets to be attacked by hackers. Serious vulnerabilities in business websites may directly lead to hackers invading to obtain server permissions and then invading the intranet.

2. office environment

Self-service terminals in office environment, unattended PCs with unlocked screens, USB flash drives with viruses, WiFi networks, etc. may all be attack entrances in office environment, and attackers can further obtain control rights of employees 'PCs or access rights of office intranet.

3. organized personnel

People are the weakest link in an information system, and most security problems are caused by negligence or mistakes by people. Through phishing, social work and Trojan horse placement on target personnel, the legal account number or PC control right of key personnel is obtained directionally, and then their identity is used to enter the target enterprise intranet. It may even attack the target person's private computer, home WiFi, frequented coffee shops and other weak links, thus stealing sensitive credentials of personnel.

4. partners

There are often many close cooperation projects between the target enterprise and its partners, and the network connectivity authority or access authority is higher than that of the external network. It is usually feasible to infiltrate the core business of the target enterprise after the partners are settled.

5. supply chain

As the name suggests, it is to poison products in the supply chain first to indirectly attack the target. For example, attack common software repositories, open source software, software installation packages, download sites, service providers, etc., and then bundle Trojans on these upstream products of the supply chain to invade the target enterprise.

After the attacker broke through the external network boundary and gained access to the enterprise intranet, the attack activity was actually just started. Stabilizing his foothold, the attacker began a long road to core business data, and the intranet spread out in front of the attacker like a forest full of fog of war. For very large enterprises, there are hundreds of thousands or even millions of servers in the intranet. Where is the core business data stored, how to reach the core area, and how to operate the data? This is the core problem that attackers need to solve. Attacking intranet servers one by one is tantamount to finding a needle in a haystack. How can we quickly achieve the attack target, steal core business data, and even operate enterprise funds?

III. Data protection

During each security exercise, the Blue Army, as the attacker, needs to answer this question.

Since its establishment in 2006, Tencent Blue Army has continuously carried out penetration tests with various business teams within the company, including various important businesses, and discovered and eliminated a large number of potential security risks. Since 2008, with the launch of the company's onion anti-intrusion system, the Blue Army has continued to conduct red-blue confrontation drills to simulate hackers to attack and prevent problems before they occur.

In 2019, Tencent Blue Army Special Joint Company "Data Protection Project" launched a special sword project to verify business security through security exercises, and provide comprehensive security guarantee for core business. With years of repeated exercises and reinforcement, we can see that the security level of core businesses is constantly improving, and the cost and threshold of attacks are also constantly increasing.

Returning to the previous question, how to quickly achieve the attack target of manipulating core business data? An attacker needs to find a critical "beacon" in the intranet. These "lighthouses" can be key personnel or key application systems, such as centralized system of intranet, domain control, mailbox server, code warehouse, operation and maintenance system, operation system, or customer service system and financial system very close to user data or assets.

Large-scale enterprise intranet involves complex network area division, business architecture and underlying protocol interaction. Targeting key application systems in normal business operation flow during intranet attack can obviously achieve twice the result with half the effort. Looking at many intranet security exercises over the years, we also tried to scan and blast the core database directly in the early days, and even modified the balance fields in some databases to achieve the exercise goal of "charging money" for ourselves. With the progression of attack and defense confrontation, this road has been heavily guarded, and the attack cost is very high. Any major action scanning will cause an alarm on the security system or business monitoring data, resulting in the exposure of the attack behavior. As a result, the attack path gradually turned to a more subtle way, which is also the most typical method of APT attack: using legitimate identity to operate internal tools and platforms.

Similar to Twitter's "internal tools" involved in this security incident, reset passwords, modify user information and other functions are actually the most basic logic at the bottom of the business, providing corresponding services to users. Of course, these tools cannot be invoked at will. Only a very small number of core personnel or through corresponding internal systems have permission to operate, and they also need approval and audit at various levels.

So the security of these business systems and tools is critical.

IV. How to protect core business data security risks

The security protection of internal and external network business systems cannot be separated from the participation of business colleagues, and the company's "data protection project" provides specific data security indicators and reference specifications for everyone. According to Tencent Blue Army's actual combat experience in various security exercises against internal and external companies over the years, from the attacker's perspective, there are a lot of commonalities between the risk paths of each core business of the intranet. How to improve the security level of core business? We can avoid risk in the following ways:

1. Eliminate sensitive information leaks

Information collection is a very important part of the attack process. Information on various systems in the intranet may reveal various sensitive information, including account passwords, documents, codes, etc. This information often opens an attacker's way to critical systems.

2. Authentication and control of high-risk services and components

If high-risk services and components are not authenticated and controlled in the intranet, they may be directly used to obtain server control. For example: Docker API, Redis, various language debugging ports, etc.

3. Enhanced network isolation policy

Strict network access control and isolation measures can effectively increase the difficulty for attackers to access core data.

4. Strict access control and auditing

A very important concept of security is hierarchical management. In a large number of intranet websites, for some sensitive websites, login isolation is required, and for sensitive operations, such as those related to funds and user data, approval processes and secondary verification must be added.

Security is a long-term work, in the rapid development of the Internet ecosystem now, personal information and data security is more and more attention, security is the lifeline of all businesses of large Internet companies. Anti-intrusion is the top priority in the field of basic security. All major Internet enterprises are facing targeted attacks from global hackers and even national teams all the time. Once a major incident occurs, it will cause irreparable losses to commercial brands. I believe that the security blue and red blue confrontation format will continue to play an important role in the protracted security battlefield.

After reading the above, do you have any further information on how Twitter was hacked? If you still want to know more knowledge or related content, please pay attention to the industry information channel, thank you for your support.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.