Cyber risk intelligence large Mandiant has shared the outcomes of its investigation on its current X account hijacking following a wave of crypto-related X account hacks.
On January 3, 2024, the X (previously Twitter) account of Mandiant, a subsidiary of Google Cloud, was taken over and started sending its 123,5000 followers hyperlinks to a cryptocurrency drainer phishing web page.
The agency recovered its account the following day and introduced it on social media with the next publish: “As you seemingly seen, yesterday, Mandiant misplaced management of this X account, which had 2FA enabled. Currently, there are not any indications of malicious exercise past the affected X account, which is again underneath our management. We’ll share our investigation findings as soon as concluded.”
On January 11, the agency printed the results of this investigation, which decided the hijack was seemingly because of a brute-force password assault and was restricted to the corporate’s main X account, @Mandiant.
We have completed our investigation into final week’s Mandiant X account takeover and decided it was seemingly a brute pressure password assault, restricted to this single account.
— Mandiant (@Mandiant) January 10, 2024
The investigation discoveredno proof of malicious exercise on, or compromise of, any Mandiant or Google Cloud techniques that led to the compromise of this account.”
Mandiant Blames X’s 2FA Changes
In its communication, Mandiant pointed to misconfigurations in its account’s two-factor authentication (2FA), for which the agency took some duty but in addition laid the blame partly on X.
“Normally, 2FA would have mitigated this, however because of some crew transitions and a change in X’s 2FA coverage, we weren’t adequately protected. We’ve made modifications to our course of to make sure this does not occur once more,” the agency’s social media publish stated.
Specifically, the textual content message/SMS technique of 2FA was disabled for non-Twitter Blue customers in February 2023. Authentication app and safety key strategies stay accessible.
This determination sparked appreciable controversy among the many person base, as 2FA is taken into account an important safety measure and limiting its availability raises considerations about potential vulnerabilities.
Read extra: Is MFA Enough to Protect You Against Cyber-Attacks?
CLINKSINK Drainer-as-a-Service Threat Actors Behind the Hack
Mandiant has recognized 35 IDs related to a drainer-as-a-service (DaaS) group utilizing the CLINKSINK crypto pockets drainer, a sort of malware exploiting vulnerabilities in sensible contracts or person errors to steal funds.
CLINKSINK customers particularly goal Solana (SOL) wallets.
These digital grifters use hijacked X and Discord accounts to share cryptocurrency-themed phishing pages impersonating Phantom, DappRadar, and BONK with pretend token airdrop themes.
Using these compromised accounts, they lure their victims with guarantees of free tokens, deploying convincing phishing pages disguised as common crypto platforms.
Instead of enriching their targets, they’re siphoning funds instantly into their very own pockets, protecting 20% for themselves and leaving the remaining for the shadowy figures who run the drainer service.
Mandiant estimates that this nefarious scheme has drained not less than $900,000 from unsuspecting crypto lovers.
The identical 35 affiliate IDs have used CLINKSINK since December 2023 to steal funds and tokens from Solana customers in numerous campaigns.
A Wave of Crypto-Related X Account Hijacks
Several corporations, together with Netgear, Hyundai and Certik, have additionally lately had their X social media accounts hijacked and used for cryptocurrency scams by risk actors.
On January 10, the X account for the US Securities and Exchange Commission, @SECGov, was compromised and posted a pretend announcement concerning the approval of Bitcoin exchange-traded funds (ETFs) on safety exchanges, resulting in Bitcoin costs briefly spiking.
X’s security crew later stated the takeover was as a result of hijacking of a telephone quantity related to the @SECGov account in a SIM-swapping assault. X additionally famous that the SEC’s account didn’t have two-factor authentication (2FA) enabled on the time the account was hacked.