The U.S. Securities and Exchange Commission confirmed today that its X account was hacked through a SIM-swapping attack on the cell phone number associated with the account.
Earlier this month, the SEC's X account was hacked to issue a fake announcement that the agency had finally approved Bitcoin ETFs on security exchanges.
Ironically, the SEC approved Bitcoin ETFs in a legitimate announcement the following day.
At the time, it was not clear how the account was breached, with the SEC stating that they would provide updates on their investigation as it became available.
Today, the SEC has confirmed that a cell phone account associated with the X account suffered a SIM-swapping attack.
In SIM swapping attacks, threat actors trick a victim's wireless carrier into porting a customer's phone number to a device under the attacker's control.
This allows all texts and phone calls sent to the device to be retrieved by the hackers, including password reset links and one-time passcodes for multi-factor authentication.
According to the SEC, the hackers did not have access to the agency's internal systems, data, devices, or other social media accounts, and the SIM swap occurred by tricking their mobile carrier into porting the number.
The SEC says they continue to work with law enforcement to investigate how the attackers conducted the SIM-swapping attack with their mobile carrier.
The SEC also confirmed that multi-factor authentication was not enabled on the account, as they had asked X support to disable it when they encountered problems logging into the account.
If MFA was enabled via SMS, the hackers would still have been able to breach the account as they would have received the one-time passcodes.
If the security setting had been configured to use an authentication app, it would have prevented the threat actors from logging into the account, even after the attackers had changed the password.
For this reason, it is always advised that MFA only be used with a hardware security key or an authentication app rather than through SMS. X has been plagued this past year with hacked accounts and malicious advertisements promoting cryptocurrency scams and wallet drainers.
There does not appear to be an end in sight, with users now fed up with what feels like a constant stream of malicious advertisements.
US SEC's X account hacked to announce fake Bitcoin ETF approval.
Mandiant's X account hacked by crypto Drainer-as-a-Service gang.
Netgear, Hyundai latest X accounts hacked to push crypto drainers.
X users fed up with constant stream of malicious crypto ads.
Web3 security firm CertiK's X account hacked to push crypto drainer.
This Cyber News was published on www.bleepingcomputer.com. Publication date: Mon, 22 Jan 2024 23:05:11 +0000