Mandiant's brute-forced X account exposes perils of skimping on 2FA

Google-owned security house Mandiant's investigation into how its X account was taken over to push cryptocurrency scams concludes the "likely" cause was a successful brute-force password attack.

The natural reaction to this would be to ask why two/multi-factor authentication didn't prevent this from taking place. Well, Mandiant's carefully worded response basically said it wasn't implemented.

"Normally, 2FA would have mitigated this, but due to some team transitions and a change in X's 2FA policy, we were not adequately protected," it posted via its now recovered account. "We've made changes to our process to ensure this doesn't happen again."

That's as much detail as the company was willing to dish out. It didn't specifically point to the policy change X (then called Twitter) announced in February 2023, which was to disable SMS-based 2FA for users who didn't pay for Twitter Blue, but some have speculated that this may be the reason a brute force attack was achievable.

Mandiant does not have an X account with any kind of verification, a consumer-grade blue tick, or a big org yellow tick, which means it does not pay X and if it did rely on SMS-based 2FA, it would have been removed when the policy change took place in March 2023.

X still allows free accounts to use 2FA, as long as it's app-based or uses security keys, both of which are considered safer than SMS-based 2FA, which is vulnerable to SIM swapping.

According to X's data taken from 2021, just 2.6 percent of users enabled any form of 2FA on their accounts and 74.4 percent of those who did used an SMS-based implementation.

"Humans being human and avoiding additional work, many didn't take an additional step on [March 20, 2023] to re-set up MFA using a different free option," said Rocahel Tobac, CEO at Social Proof Security.

Google's data from 2019 indicated that SMS-based 2FA can block up to 100 percent of automated attempts to hijack accounts, 99 percent of bulk phishing attacks, and 66 percent of targeted attacks. 

This means even the least-effective form of 2FA is certainly better than no 2FA at all.

The Register approached Mandiant for clarity on the matter but the company did not respond.

Mandiant did confirm in a blog covering the incident's investigation that there is no evidence to suggest there was a compromise of the systems at Mandiant or its parent Google Cloud.

The postmortem into the account hijack comes days after the US Securities and Exchange Commission (SEC) also had its X account taken over by what is believed to be a SIM-swapping attack.

After being compromised, attackers used their access to the account, which has 746,600 followers, to push news about Bitcoin ETFs being approved for listing on national exchanges.

The SEC quickly passed this off as fake news before announcing today that, actually, it was true after all.

Drainer-as-a-service scams on the rise

As it revealed the cause of the hijack, Mandiant also blogged about the scam the hijackers pushed in the hours they had control of the account, an attack that's been growing in popularity in the last few months.

The scam, Mandiant says, was pushing the CLICKSINK drainer-as-a-service (DaaS) – a toolkit comprising malicious scripts and smart contracts to steal digital assets like cryptocurrencies and NFTs from web3 enthusiasts.

• Infoseccers think attackers backed by China are behind Ivanti zero-day exploits
• Fidelity National now says 1.3M customers had data stolen by cyber-crooks
• Uncle Sam tells hospitals: Meet security standards or no federal dollars for you
• Be honest. Would you pay off a ransomware crew?

CLICKSINK is just one of the many draining campaigns that have been wreaking havoc on digital wallets in recent months. 

DaaS offerings like CLICKSINK operate using a model that followers of El Reg's ransomware coverage may be familiar with – developers build a toolkit and ship it off to affiliates, collecting a cut of whatever each affiliate is able to rake in.

Mandiant believes CLICKSINK campaigns alone have netted cybercrims $900 million since December 2023, and its developers typically collect between 5 and 25 percent of every successful attack.

"While we do not have direct insight into why there is such a wide variance, it may depend on various factors, such as special partnerships or reduced fees for more successful affiliates," Mandiant said.

Victims are lured by cryptocurrency-themed phishing pages often claiming to offer an airdrop – a common marketing scheme run to raise awareness of new crypto tokens, offering free tokens in exchange for a little publicity.

Due to crypto's well-known propensity for gaining huge value in a short space of time, these schemes naturally attract quite an audience.

At the start of this year, Bill Lou, co-founder of security-focused Nest Wallet (the irony is not lost on anyone), admitted in a series of posts to X that he too fell for an airdrop-themed drainer attack, losing 52 Lido Staked Ether (stEth) tokens, equivalent to around $140,000 by today's conversion.

Rather than seeing a dodgy link posted on social media, Lou followed a seemingly legitimate article that allegedly appeared at the top of Google's search ranking for whatever term he used.

These phishing pages lure users into connecting their wallets to receive what they believe is free crypto, only to have it drained after signing a transaction.

The stEth token itself has soared in value recently – 20 percent in the last month and 98 percent in the past year, according to Coinbase. 

A hallmark of the recent DaaS campaigns is to target owners of tokens that are rapidly rising in value. CLICKSINK, for example, targets Solana (SOL) owners since its value is one of the fastest-growing of all tokens in recent months.

Considering the success of such operations in recent years, Mandiant expects the attacks to continue for some time.

"The wide availability and low cost of many drainers, combined with a relatively high potential for profit, likely makes them attractive operations for many financially motivated actors," it said. 

"Given the increase in cryptocurrency values and the low barrier to entry for draining operations, we anticipate that financially motivated threat actors of varying levels of sophistication will continue to conduct drainer operations for the foreseeable future." ®