MFA and Misinformation: What to Know About SEC’s X Account Hack

On Jan. 9, a hacker compromised the US Securities and Exchange Commission (SEC) X account, @SECGov. The unauthorized party posted an announcement of the regulator’s “approval of spot bitcoin exchange-traded funds, as well as a second post approximately two minutes later that said ‘$BTC,’” according to a statement from the SEC. The post resulted in a spike in Bitcoin prices. The SEC did not have two-factor authentication enabled on its account, X shared in a post the same day of the compromise.

The SEC is not the first organization to have its X account compromised. This hack, and others like it, raise questions about cybersecurity hygiene, how social media fits into cybersecurity strategy, and the proliferation of misinformation.

Cryptocurrency and Compromised X Accounts

In this particular incident, the hacker was able to execute the compromise by gaining control of a phone number associated with the SEC’s account, according to X’s investigation. The attacker could have gained control of the phone number via a SIM swapping attack. Given the spike in Bitcoin prices following the intruder’s post, the motivation could have been financial.

Earlier in the month, another X account was compromised as a part of a cryptocurrency scam. Hackers were able to compromise Google subsidiary Mandiant’s X account, likely via a brute force password attack, according to the cybersecurity firm’s investigation. In this case, the actors leveraged access to Mandiant’s account to share links as a part of a CLINKSINK drainer campaign. Mandiant posted a blog describing how the phishing pages used by this type of campaign drain cryptocurrency wallets.

Related:Clock Starts on SEC Cyberattack Rules: What CISOs Should Know

Multifactor Authentication

Like the SEC’s X account compromise, multifactor authentication had a role to play in the hack of Mandiant’s X account. On Jan. 10, the cybersecurity company posted: “Normally, 2FA would have mitigated this, but due to some team transitions and a change in X’s 2FA policy, we were not adequately protected. We've made changes to our process to ensure this doesn't happen again.”

The SEC’s lack of multifactor authentication has garnered attention from lawmakers. US Senators Ron Wyden, D-Ore., and Cynthia Lummis, R-Wyo., shared a joint statement calling for an investigation into the hack and the SEC’s failure to adhere to cybersecurity best practices.

“We urge you to investigate the agency’s practices related to the use of MFA, and in particular, phishing-resistant MFA, to identify any remaining security gaps that must be addressed,” according to the statement.

Related:The Rise of Dual Ransomware Attacks

Darren Guccione, CEO and co-founder of Keeper Security, a passwords and secrets management company, points out that cybersecurity funding and legislation has typically garnered bipartisan support. “The bipartisan scrutiny of this incident could serve to further coalesce support for strengthening government agencies’ cybersecurity defenses,” he shares in emailed comments.

While multifactor authentication could have prevented the compromise of the SEC and Mandiant accounts, many other users are likely vulnerable to similar attacks. The social media company shared in an Account Security report, 2.6% of active accounts had at least one two-factor authentication method enabled as of its July 2021 to December 2021 reporting period.

“If the account is important, should [it] actually require multifactor? If the account is important, should [it] require factors that are actually strong?” asks Jasson Casey, CEO of Beyond Identity, a passwordless identity management company, and a former defense contractor.

X offers two-factor authentication via text message, authentication app or security key. (Beginning on March 20, 2023, X stopped supporting two-factor authentication via text for its non-premium subscribers.) Many other platforms offer similar MFA options. “It portrays to the user all these things are equal. And they're not,” says Shawn Loveland, COO, of cybersecurity company Resecurity. “So, users tend to pick the ones that have the least amount of friction, which also tend to be the least secure.”

Related:7 Security Trends to Watch Heading into 2024

SMS, while convenient, is not considered a secure option for MFA. “Traditional 2FA methods such as SMS are weaker than other methods like an authenticator app or hardware key,” says Guccione. “In fact, the National Institute of Standards and Technology (NIST) removed the use of SMS authentication from its recommended authentication methods list due to the potential vulnerabilities.”

Phishing-resistant MFA, such as FIDO security keys, can strengthen an organization’s cybersecurity defenses. “Just because something's multifactor doesn't mean it can't be trivially bypassed,” says Casey. “Multifactor that's not phish-resistant is kind of like a paper tiger.”

While X points to the SEC’s lack of two-fact authentication, could the platform have done anything to prevent this account takeover? “X appears to [have] allowed an account to be recovered using SMS from a device, I'm assuming … they've never seen login to X before with that account,” says Loveland. “They should have an extra precaution saying, ‘Hey, somebody's trying to do an account recovery from a device they've never logged in [with] before.'”

Misinformation

The SEC emphasizes in its statement that “there is currently no evidence that the unauthorized party gained access to SEC systems, data, devices, or other social media accounts.” Likewise, X notes that the account takeover did not involve any breach of its systems. Less than an hour elapsed between the unauthorized post and its deletion, but the consequences of the misinformation were clear in the Bitcoin price increase.

X accounts will continue to be the target of actors wishing to spread misinformation, whether for financial gain or other aims.

“The legitimate owners of these accounts are always going to follow up and post something after they regain control of the account saying, ‘This wasn’t us. Please ignore this message,’ but the message is already out there in the public mind,” says Ariel Ropek, principal threat researcher at Panther Labs, a cloud SIEM platform. “Especially with widely reaching accounts like the SEC and Mandiant, the damage can already be done.”

In an US election year, concerns regarding misinformation and disinformation are mounting. “It's very difficult to have the populous or the social media space forget that disinformation even after it's been proven of it was false,” says Ropek.

Social media is an integral part of many enterprises’ business operations. While marketing or dedicated social media teams may be in charge of accounts with X and other platforms, CISOs and their teams have a role to play as well.

“There's a tendency to view social media accounts as not as important as an administrator account for your IT infrastructure, for example,” says Ropek. “But especially for organizations that do have a large public-facing component … I think there's an argument that says the risk of takeover of these social media accounts is significant and should be taken seriously.”