Skip to content
Salus Cyber

Salus News August 8th 2022

8 August 2022

Twitter Data Breach Vulnerability Exploited by Hacker

Twitter Confirms Data Breach

On the 8th of August 2022, Twitter confirmed that the phone numbers and email addresses of 5.4 million accounts had been stolen due to a vulnerability that was flagged back in January 2022. News of this breach first came to the surface when a press report discovered in July 2022 that data relating to twitter accounts was being sold. Twitter investigated this and were able to confirm from a sample of the data within the data breach that the account details were correct.

What was the Vulnerability?

The vulnerability occurred in the log-in flow of twitters login form. If an attacker entered a valid email address or phone number of a twitter account into the log-in flow, then they would be notified if a twitter account with the entered email address or phone number existed. This allowed for malicious actors to enumerate for Twitter accounts by using wordlists of phone numbers or email addresses (usually from other data breaches). The acquired data about these twitter accounts were later uploaded and put up for sale on a hacking forum known as Breach Forums (previously known as Raid Forums). This vulnerability was first believed to have been introduced to Twitter in June 2021 when Twitter performed an update to their code. This means that there was a seven-month period in which the vulnerability could have been exploited.

Twitters History of Exploits

This is not the first time Twitter has been affected by an attack, the social media giant has been involved in numerous attacks over the past few years. The more notable ones were when a hacker took control over high-profile accounts such as, Elon Musk, Bill Gates, and Barack Obama. The hacker then used these accounts to post a scam message stating that if a user was to send bitcoin to them, then they would send back to that user double what they sent. This managed to earn the hacker around $100,000 in bitcoin transactions. Twitter claimed that the reason this attack occurred was due to a social engineering attack, in which the hacker was able to get the credentials of an admin by using spear-phishing.

In October 2019 two former employees were charged with spying for Saudi Arabia. It was believed that these two employees were gathering personal information on specific users to give to foreign nations.

This can be quite worrying for the users of Twitter as it looks like Twitter does a poor job of handling vulnerabilities and exploits. It could also appear that Twitter won’t address vulnerabilities or exploits that have occurred until it has publicly been revealed by some external source. This can be seen with Twitter not mentioning the exploit which led to their most recent data breach until news of the breach had occurred seven months later.

References

Twitter data breach exposes contact details for 5.4M accounts (9to5mac.com)
Twitter Data Breaches: Full Timeline Through 2022 (firewalltimes.com)

New Microsoft Patches August Patch 2022

DogWalk Receives Patch

Microsoft on the tenth of August 2022 released a new bundle of patches which addressed one hundred and forty-one flaws, seventeen of which were rated as critical. One of these critical vulnerabilities was DogWalk. This vulnerability was first discovered and reported to Microsoft near the end of 2019 and would allow attackers to perform remote code execution or potentially elevate their privileges. Despite DogWalk first being discovered in 2019 and then documented in 2020, it took Microsoft two years to release a patch for it. This could be due to Microsoft originally believing that the vulnerability could only be exploited if the attacker had physical access to the vulnerable computer. However, this was later discovered to not be the case as a variation of DogWalk was engineered that allowed for remote code execution to be performed using Microsoft’s Diagnostics Tool.

Other Patched Vulnerabilities

In Microsoft’s latest patch, a trio of privilege escalation vulnerabilities affecting Microsoft Exchange Server were patched. These three vulnerabilities required authentication and user interaction to be exploited. This means that the attacker would have had to trick users into visiting a specifically crafted exchange server to exploit these vulnerabilities. This would most likely be achieved through phishing.

A zero-day vulnerability affecting SMB 3.1.1 (SMBv3) was also fixed in the latest patch. This was a vulnerability that only affected Windows 11. This implies that some functionality added in Windows 11 introduced this vulnerability. Disabling SMBv3 compression was a potential work around fix to this vulnerability, however, it is now recommended that the new patch is deployed to resolve this issue.

Another critical vulnerability that was addressed in this new patch was one in Windows Network File System (NFS). This is not the first time this year that Microsoft has addressed a vulnerability in Windows NFS. This is now the fourth month in a row in which Microsoft has addressed an issue in this area showing that Windows NFS currently needs more work put into it to ensure it is as secure as possible. For an attacker to be able exploit it, they can perform a remote unauthenticated attack where they have a specifically crafted call to a vulnerable NFS server. This will then allow the attacker to perform remote code execution at elevated privileges compromising the system.

Conclusion

Microsoft’s newest patch is a critical update, and it is recommended that it be deployed to all necessary devices. The newest patch fixes several critical issues that have been known for quite a while now and fixes other flaws with Microsoft systems.

References

Microsoft Patches ‘DogWalk’ Zero-Day in August Patch Tuesday (databreachtoday.com)