Mandiant, SEC Lose Control of X Accounts Without 2FA

We Keep you Connected

Mandiant, SEC Lose Control of X Accounts Without 2FA

Crypto hacks on Mandiant and SEC X accounts are the predictable result of the social media platform’s upcharge for basic cybersecurity protections, experts say.
January 12, 2024
Upon review, Google's cybersecurity operation at Mandiant has determined it temporarily lost control of its X account to cryptocurrency drainer malware operators on Jan. 3 because it didn't have two-factor authentication set up.
Effective March 20, 2023, only paid, premium subscribers to X (formerly Twitter) have access to 2FA.
It's an embarrassing admission that experts say is a sign of the strain cybersecurity teams are under to keep a crushing onslaught of cyberattacks at bay with a shrinking pool of resources and talent to meet the challenge. If it can happen to Mandiant, it can happen anywhere, they warn.
"Normally, 2FA would have mitigated this, but due to some team transitions and a change to X's 2FA policy, we were not adequately protected," is a statement the Mandiant team certainly never wanted to have to compose, but nonetheless it was posted on X on Jan. 10. "We've made changes to our process to ensure this doesn't happen again."
In a separate high-profile incident on Jan. 9, the X account operated by the Securities and Exchange Commission (SEC) was hijacked to post a fake announcement that the regulator had approved exchange traded funds (ETFs), which despite being taken down in less than 20 minutes gained 1 million views and drove the value of Bitcoin up by 5%.
In this instance, X put out a statement that the @SECGov account was accessed by a compromised phone number associated with the account. The statement also noted the SEC did not have 2FA enabled on the account.
While cybersecurity teams are focused on protecting enterprise "crown jewels" threat actors have pounced on the tweak to X's 2FA premium pricing.
"It’s clear that cybercriminals are taking advantages of the X changes in 2023 to multifactor authentication (MFA) via SMS, which forced users to pay for this security functionality or use app-based MFA," Claude Mandy, chief evangelist, data security, at Symmetry Systems explains. "Unfortunately, as I predicted at the time, it’s clear that organizations are not prepared to pay to use a less secure form of authentication like SMS MFA but also can’t be bothered to download a free authentication app for their social media management accounts."
While enterprise security teams are focused on preventing sophisticated attacks, it can be easy for even the sharpest teams to overlook the simple stuff, according to Bud Broomhead, Viakoo's CEO.
"The shortage of cybersecurity professionals at a time when threats are rising in volume and velocity is likely causing organizations to take shortcuts," Broomhead says. Similar to how cybersecurity companies often have more vulnerabilities in their code than other forms of software, due to time pressures and cutting-edge code development, security firms like Mandiant may be so focused on more serious or complex exploits that the basics — like setting up 2FA on an X account — simply is missed."
Becky Bracken, Editor, Dark Reading

You May Also Like
What’s In Your Cloud?
Everything You Need to Know About DNS Attacks
Tips for Managing Cloud Security in a Hybrid Environment
Top Cloud Security Threats Targeting Enterprises
DevSecOps: The Smart Way to Shift Left
Black Hat Asia – April 16-19 – Learn More
Black Hat Spring Trainings – March 12-15 – Learn More
Cyber Resiliency 2023: How to Keep IT Operations Running, No Matter What
Passwords Are Passe: Next Gen Authentication Addresses Today’s Threats
The State of Supply Chain Threats
How to Deploy Zero Trust for Remote Workforce Security
What Ransomware Groups Look for in Enterprise Victims
How to Use Threat Intelligence to Mitigate Third-Party Risk
Threat Terrain of the Modern Factory: Survey of Programmable Assets and Robot Software
IT Zero Trust vs. OT Zero Trust: It’s all about Availability
2023 Snyk AI-Generated Code Security Report
Buyer’s Guide: Choosing a True DevSecOps Solution for Your Apps on AWS
The Developers Guide to API Security
Black Hat Asia – April 16-19 – Learn More
Black Hat Spring Trainings – March 12-15 – Learn More
Cyber Resiliency 2023: How to Keep IT Operations Running, No Matter What
Copyright © 2024 Informa PLC Informa UK Limited is a company registered in England and Wales with company number 1072954 whose registered office is 5 Howick Place, London, SW1P 1WG.