Twitter Breach Incident Score: Analysis & Impact (TWI2632126111725)

In this Rankiteo incident briefing, we review the Twitter breach identified under incident ID TWI2632126111725.

The analysis begins with a detailed overview of Twitter's information like the linkedin page: https://www.linkedin.com/company/twitter, the number of followers: 1574846, the industry type: Software Development and the number of employees: 1128 employees

After the initial compromise, the video explains how Rankiteo's incident engine converts technical details into a normalized incident score. The incident score before the incident was 631 and after the incident was 528 with a difference of -103 which is could be a good indicator of the severity and impact of the incident.

In the next step of the video, we will analyze in more details the incident and the impact it had on Twitter and their customers.

On 15 July 2020, Twitter (now X Corp) disclosed Account Takeover, Social Engineering and Cryptocurrency Scam issues under the banner "Twitter Celebrity Account Hijacking and Cryptocurrency Scam (2020)".

British prosecutors secured a civil recovery order to seize £4.11 million ($5.39 million) in crypto assets from Joseph James O'Connor (aka 'PlugwalkJoe'), linked to the July 2020 Twitter breach.

The disruption is felt across the environment, affecting Twitter Internal Admin Tools and Celebrity/High-Profile Accounts (e.g., Barack Obama, Bill Gates, Jeff Bezos), and exposing Private Direct Messages, Account Credentials and High-Profile User Data, plus an estimated financial loss of $100,000+ (from Bitcoin scam) + £4.11 million ($5.39 million) seized in crypto assets.

In response, teams activated the incident response plan, moved swiftly to contain the threat with measures like Account Lockdowns, Revoking Admin Access and Password Resets, and began remediation that includes Enhanced MFA for Employees and Internal Tool Access Restrictions, and stakeholders are being briefed through Public Statements by Twitter, Victim Notifications and CPS Press Release (2023-11-14).

The case underscores how Closed (US criminal case concluded; UK civil recovery order executed), teams are taking away lessons such as SIM-swapping remains a critical vector for high-impact account takeovers, Internal admin tools require stricter access controls and monitoring and Celebrity/high-profile accounts need additional protection layers, and recommending next steps like Implement hardware-based MFA for all employees (especially those with admin access), Monitor for SIM-swap indicators (e.g., sudden carrier changes) and Segment internal tools to limit lateral movement, with advisories going out to stakeholders covering Twitter Security Updates (2020), FBI Cyber Division Alerts and CPS Proceeds of Crime Announcement.

Finally, we try to match the incident with the MITRE ATT&CK framework to see if there is any correlation between the incident and the MITRE ATT&CK framework.

The MITRE ATT&CK framework is a knowledge base of techniques and sub-techniques that are used to describe the tactics and procedures of cyber adversaries. It is a powerful tool for understanding the threat landscape and for developing effective defense strategies.

Rankiteo's analysis has identified several MITRE ATT&CK tactics and techniques associated with this incident, each with varying levels of confidence based on available evidence. Under the Initial Access tactic, the analysis identified Compromise Accounts: SIM Swap (T1586.002) with high confidence (100%), with evidence including sIM-swapping and social engineering to gain access to internal admin tools, and social Engineering of Mobile Carriers under vulnerability_exploited, Valid Accounts: Cloud Accounts (T1078.004) with high confidence (95%), with evidence including compromised Twitter admin tools used to hijack high-profile accounts, and insider Tool Abuse listed as vulnerability_exploited, and Phishing: Spearphishing via Social Engineering (T1566.002) with high confidence (90%), with evidence including social engineering referenced in attack_vector and description, and sIM-swapping typically preceded by phishing/reconnaissance. Under the Credential Access tactic, the analysis identified Unsecured Credentials: Credentials In Files (T1552.001) with moderate to high confidence (85%), with evidence including weak Multi-Factor Authentication (MFA) on Twitter Employee Accounts, and sIM-swap likely bypassed SMS-based MFA to access credentials and Steal Web Session Cookie (T1539) with moderate to high confidence (80%), with evidence including account Authentication Tokens listed as compromised data, and admin tool access suggests session hijacking. Under the Persistence tactic, the analysis identified Account Manipulation: Additional Cloud Credentials (T1098.003) with high confidence (90%), with evidence including backdoors established such as Twitter Admin Tool Access, and ongoing access to high-profile accounts for extortion/scams. Under the Privilege Escalation tactic, the analysis identified Valid Accounts: Cloud Accounts (T1078.004) with high confidence (95%), with evidence including compromised Internal Tools (Twitter Admin Panel), and overprivileged internal admin tools in root_causes and Account Manipulation (T1098) with high confidence (90%), supported by evidence indicating hijacked accounts retained admin privileges (e.g., posting tweets, accessing DMs). Under the Defense Evasion tactic, the analysis identified Valid Accounts: Cloud Accounts (T1078.004) with high confidence (90%), with evidence including use of legitimate admin tools to evade detection, and no large-scale data leak suggests stealthy operations and Hide Artifacts: Email Hiding Rules (T1564.008) with moderate to high confidence (70%), with evidence including private DMs accessed without immediate detection, and extortion threats sent via compromised accounts. Under the Collection tactic, the analysis identified Email Collection: Remote Email Collection (T1114.002) with high confidence (95%), with evidence including private Direct Messages (DMs) accessed and exfiltrated, and data exfiltration such as Yes (messages accessed, likely downloaded) and Data from Local System (T1005) with moderate to high confidence (80%), supported by evidence indicating account Authentication Tokens and Contact Information compromised. Under the Exfiltration tactic, the analysis identified Exfiltration Over Alternative Protocol: Exfiltration Over Asymmetric Encrypted Channel (T1048.002) with moderate to high confidence (85%), with evidence including private messages likely monetized (implied secure transfer), and cryptocurrency wallets used for extortion/scams and Exfiltration Over C2 Channel (T1041) with moderate to high confidence (80%), with evidence including dMs and tokens exfiltrated via attacker-controlled channels, and no evidence of bulk public leaks (suggests controlled exfiltration). Under the Impact tactic, the analysis identified Resource Hijacking: Cryptocurrency Mining (T1496.002) with high confidence (95%), with evidence including fraudulent Bitcoin scam tweets, netting over $100,000, and cryptocurrency wallets compromised, Extortion (T1659) with high confidence (100%), with evidence including extorted victims, and threatened celebrities, and extortion/Threat Targets listed in affected_entities, Data Encrypted for Impact (T1486) with lower confidence (10%), supported by evidence indicating no ransomware reported, but DMs potentially encrypted for extortion leverage, and Defacement: External Defacement (T1491.002) with high confidence (90%), supported by evidence indicating fraudulent Bitcoin scam tweets posted to hijacked accounts. Under the Lateral Movement tactic, the analysis identified Valid Accounts: Cloud Accounts (T1078.004) with high confidence (90%), with evidence including movement from employee accounts to high-profile user accounts via admin tools, and systems affected such as Twitter Internal Admin Tools. These correlations help security teams understand the attack chain and develop appropriate defensive measures based on the observed tactics and techniques.