Hacker exploits SIM card swap, hijacks SEC's social media account, exposing vulnerabilities in multifactor authentication. (IT World Canada)
In a recent security breach, an unidentified hacker took control of the U.S. Security and Exchange Commission's (SEC) account on a popular social media platform, referred to as X, by exploiting a SIM card swap through a cellphone carrier. The hacker manipulated the carrier into transferring control of an employee's cellphone by resetting the password for the @SECGov account. Notably, the account lacked multifactor authentication during the incident, although the SEC stated that it had been initially enabled but was later disabled upon staff request, offering no further clarification on this decision.
The unauthorized party's access to the phone number occurred through a SIM card swap, a process wherein the SIM card, responsible for registering a wireless device with a carrier, is shifted from one device to another. The hacker, relying on the susceptibility of support staff, convinced the carrier to change the device associated with the SIM card. Gaining control over the victim's smartphone is crucial for exploiting accounts that utilize mobile devices in their multifactor authentication processes.
The SEC highlighted that the breach did not involve their internal systems but rather exploited vulnerabilities in the carrier's processes. Once in control of the SEC X account, the attacker made a false post announcing the approval of spot bitcoin exchange-traded funds. Although untrue at the time, the SEC later confirmed certain financial platforms' ability to carry bitcoin ETFs a few days after the incident.
Investigations into the breach are underway, involving entities such as the SEC's Office of Inspector General, the FBI, and the Department of Homeland Security's Cybersecurity and Infrastructure Security Agency. SIM card swap attacks, a method employed by threat actors for years, pose a significant risk, allowing unauthorized access to accounts protected by multifactor authentication. In some instances, such attacks target organizations' IT networks, as exemplified by the Lapsus$ gang, while in others, like this case, social media accounts are compromised to promote cryptocurrency scams.
Notably, this incident aligns with a trend where several prominent X accounts, including those of Mandiant, the city of Peterborough, Ont., and a Canadian Senator, were temporarily hijacked to promote cryptocurrency-related activities. SIM card swaps may not be the sole tactic in every case, as some attackers exploit unprotected social media accounts by guessing or brute-forcing passwords. Mandiant, for instance, admitted to disabling multifactor authentication during a staff transition.
Highlighting the severity of SIM card swap threats, the FBI issued a warning in 2022, urging carriers to educate employees on SIM swapping risks, scrutinize incoming emails for potential fraud, implement strict security protocols for changing customer numbers, and authenticate calls from authorized third-party retailers requesting customer information. As cybersecurity concerns continue to evolve, addressing vulnerabilities in communication and authentication processes becomes imperative to prevent unauthorized access and potential exploitation.
