Musk’s Twitter takeover shifted who’s controlling malware there


Twitter’s infrastructure always had malicious gateways for threat actors to abuse. Since Elon Musk took over the social network, more of the ‘gatekeepers’ act as nation-state actors.

Billionaire Elon Musk taking over Twitter brought many changes to the company: from the drastic reduction in staff and disbanding of the company’s Trust and Safety Council to Jesus becoming a verified account holder.

However, the transition kickstarted by the ‘Chief Twit’ has also impacted the cyber underworld. According to Karim Hijazi, the CEO of cybersecurity company Prevailion, Musk’s Twitter infrastructure has fewer commodity malware groups and more nation-state-level threat actors operating there.

Hijazi’s team measured malicious communications egressing from within Twitter in the last 180 days, noting that changes coincided with the company adopting new leadership. While the change might signal a clean-up spree, it also exposed Twitter’s vulnerability to nation-state attacks.

Karim Hijazi Peravailion
Image by Hijazi. Edited by Cybernews.

“I think more sophisticated groups want to stay within Twitter’s infrastructure so they could move laterally if need be. There is also an opportunity to sabotage the environment if there’s a motivation for that. For example, with wiper malware,” Hijazi told Cybernews.

You discussed changes in malicious communications originating from Twitter. Could you talk about the nature of it?

So, in this case, malicious communications are the collection of actual data that is leaving Twitter to the command and control (C2) environment by a malicious actor. This isn’t just generic benign traffic. It’s confirmed malicious traffic.

Most likely, it is malware that is inside Twitter’s infrastructure. Something that is there is communicating back to a C2 environment. Something implanted is communicating with its operator, whether to do further reconnaissance or laterally move in the network in some fashion. And then this is further validated by the nature of the threat type we were looking at. These are more sophisticated advanced persistent threats (APTs).

Have you noticed an increase in these malicious communications since Twitter’s leadership has changed?

I wouldn’t go so far as to say that we saw an increase. However, it’s less about the volume and more about the frequency and velocity. That did change. Now, it changed in a way that makes sense because there’s a lot of infrastructure change with the new leadership. There’s probably been some legacy infrastructure that was outdated and was shut down. We see this a lot with mergers and acquisitions.

“What we’re tracking are initial access points. If malware operators want to leverage further-stage infections, they can do so. What I believe we’re seeing are the gateways that were established a long time ago that are there for when and if they want to be utilized.”

Hijazi told Cybernews.

Interestingly, we saw that there was a fairly substantial variety of threat groups that were there prior to the new leadership. And now, after the new leadership, there’s been a reduction in the number of threat actors, but the remaining ones are highly sophisticated. This makes sense as those who know how to persist in an environment with higher levels of security and scrutiny remain.

So, in a sense, there are fewer malware operators, but the remaining ones are much more sophisticated.

That is correct. I’m speculating here, but one could argue that the remaining groups are of a nation-state quality. They are interested in remaining persistent in these environments for all kinds of reasons, for example, reconnaissance. It’s a classic espionage utility that they would be foregoing if they allowed these things to be found and removed.

What we’re tracking are initial access points. If malware operators want to leverage further-stage infections, they can do so. What I believe we’re seeing are the gateways that were established a long time ago that are there for when and if they want to be utilized.

Not that these communications signal that any kind of campaign is underway. They are more of an established plumbing, to put it in layperson’s terms, that you need to do what you want down the road.

How dangerous do you think the malware situation with Twitter is?

One of the threat types that I noticed was cryptocurrency miners. People don’t take those as seriously as they probably should. It’s not exactly what I would consider an APT or a nation-state utility. But if that is something that manages to stay in the environment, then anything more sophisticated is going to have an easier time getting in and persisting.

I think more sophisticated groups want to stay within Twitter’s infrastructure so they can move laterally if need be. There is also an opportunity to sabotage the environment if there’s a motivation for that. For example, with wiper malware.

I didn’t see anything specifically suggestive of the fact that there’s wiper malware there, and in no way I’m suggesting that’s the case. But wiper malware is usually a secondary or tertiary stage deployment once you have a gateway, which is precisely what is there at the moment.

Could you expand a little bit more on threat actors moving laterally on Twitter?

Their goal here is to get in at a lower level in some capacity and then essentially privilege and escalate themselves into a position of power. Possibly get to the point where they look like a legitimate user. My concern here would be that they are doing reconnaissance to figure out where they want to go and take action that’s debilitating to the victim. An unfortunate reality is that threat actors often have a much better sense of the victim network than the victims do themselves.


More from Cybernews:

3.5m IP cameras exposed, with US in the lead

India’s foreign ministry leaks expat passport details'

EU finance sector security law out of touch, warns tech expert

Social Blade admits to being hacked

Europol shuts down 50 biggest DDoS booter services

Subscribe to our newsletter



Leave a Reply

Your email address will not be published. Required fields are markedmarked