Well, Mandiant's carefully worded response basically said it wasn't implemented.
It didn't specifically point to the policy change X announced in February 2023, which was to disable SMS-based 2FA for users who didn't pay for Twitter Blue, but some have speculated that this may be the reason a brute force attack was achievable.
Mandiant does not have an X account with any kind of verification, a consumer-grade blue tick, or a big org yellow tick, which means it does not pay X and if it did rely on SMS-based 2FA, it would have been removed when the policy change took place in March 2023.
X still allows free accounts to use 2FA, as long as it's app-based or uses security keys, both of which are considered safer than SMS-based 2FA, which is vulnerable to SIM swapping.
According to X's data taken from 2021, just 2.6 percent of users enabled any form of 2FA on their accounts and 74.4 percent of those who did used an SMS-based implementation.
Google's data from 2019 indicated that SMS-based 2FA can block up to 100 percent of automated attempts to hijack accounts, 99 percent of bulk phishing attacks, and 66 percent of targeted attacks.
This means even the least-effective form of 2FA is certainly better than no 2FA at all.
The Register approached Mandiant for clarity on the matter but the company did not respond.
Mandiant did confirm in a blog covering the incident's investigation that there is no evidence to suggest there was a compromise of the systems at Mandiant or its parent Google Cloud.
The postmortem into the account hijack comes days after the US Securities and Exchange Commission also had its X account taken over by what is believed to be a SIM-swapping attack.
Attackers used their access to the account, which has 746,600 followers, to push news about Bitcoin ETFs being approved for listing on national exchanges.
As it revealed the cause of the hijack, Mandiant also blogged about the scam the hijackers pushed in the hours they had control of the account, an attack that's been growing in popularity in the last few months.
The scam, Mandiant says, was pushing the CLICKSINK drainer-as-a-service - a toolkit comprising malicious scripts and smart contracts to steal digital assets like cryptocurrencies and NFTs from web3 enthusiasts.
CLICKSINK is just one of the many draining campaigns that have been wreaking havoc on digital wallets in recent months.
Mandiant believes CLICKSINK campaigns alone have netted cybercrims $900 million since December 2023, and its developers typically collect between 5 and 25 percent of every successful attack.
Victims are lured by cryptocurrency-themed phishing pages often claiming to offer an airdrop - a common marketing scheme run to raise awareness of new crypto tokens, offering free tokens in exchange for a little publicity.
At the start of this year, Bill Lou, co-founder of security-focused Nest Wallet, admitted in a series of posts to X that he too fell for an airdrop-themed drainer attack, losing 52 Lido Staked Ether tokens, equivalent to around $140,000 by today's conversion.
The stEth token itself has soared in value recently - 20 percent in the last month and 98 percent in the past year, according to Coinbase.
A hallmark of the recent DaaS campaigns is to target owners of tokens that are rapidly rising in value.
Considering the success of such operations in recent years, Mandiant expects the attacks to continue for some time.
This Cyber News was published on go.theregister.com. Publication date: Thu, 11 Jan 2024 18:13:03 +0000