Combine cutting-edge XDR technology, multi-signal threat intelligence and 24/7 Elite Threat Hunters to help you build a world-class security operation.
Our team delivers the fastest response time in the industry. Threat suppression within just 4 hours of being engaged.
Cyber risk and advisory programs that identify security gaps and build security strategies to address them.
24/7 SOC-as-a-Service with unlimited threat hunting and incident handling.
XDR with machine learning that eliminates noise, enables real-time detection and response, and automatically blocks threats.
Seamless integration and threat investigation across your existing tech stack.
Defend brute force attacks, active intrusions and unauthorized scans.
Guard endpoints by isolating and remediating threats to prevent lateral spread.
Investigation and threat detection across multi-cloud or hybrid environments.
Remediate misconfigurations, vulnerabilities and policy violations.
Investigate and respond to compromised identities and insider threats.
Stop ransomware before it spreads.
Meet regulatory compliance mandates.
Detect and respond to zero-day exploits.
End misconfigurations and policy violations.
Defend third-party and supply chain risk.
Prevent disruption by outsourcing MDR.
Adopt a risk-based security approach.
Meet insurability requirements with MDR.
Protect your most sensitive data.
Build a proven security program.
Operationalize timely, accurate, and actionable cyber threat intelligence.
THE THREAT Beginning in early September 2024, eSentire observed an increase in the number of incidents involving Lumma Stealer malware; this activity has remained common leading into…
Oct 02, 2024THE THREATA recently disclosed vulnerability impacting Zimbra mail servers is being actively exploited by attacker(s). On September 27th, Zimbra publicly disclosed CVE-2024-45519, a…
eSentire is The Authority in Managed Detection and Response Services, protecting the critical data and applications of 2000+ organizations in 80+ countries from known and unknown cyber threats. Founded in 2001, the company’s mission is to hunt, investigate and stop cyber threats before they become business disrupting events.
We provide sophisticated cybersecurity solutions for Managed Security Service Providers (MSSPs), Managed Service Providers (MSPs), and Value-Added Resellers (VARs). Find out why you should partner with eSentire, the Authority in Managed Detection and Response, today.
Multi-Signal MDR with 300+ technology integrations to support your existing investments.
24/7 SOC-as-a-Service with unlimited threat hunting and incident handling.
Three MDR package tiers are available based on per-user pricing and level of risk tolerance.
The latest security advisories, blogs, reports, industry publications and webinars published by TRU.
Compare eSentire to other Managed Detection and Response vendors to see how we stack up against the competition.
See why 2000+ organizations globally have chosen eSentire for their MDR Solution.
The security options for X can negate the benefits of security keys, making subscribers' accounts vulnerable to hackers.
BY eSentire Threat Response Unit (TRU)
September 16, 2024 | 12 MINS READ
On September 3, 2024, hackers breached the X account of Lara Trump, Donald Trump’s daughter-in-law and co-chair of the Republican National Committee, and Tiffany Trump, the former president’s youngest daughter.
The hackers released fake posts, from their respective accounts, in a ruse made to appear as if Lara and Tiffany were announcing that the Trump family’s new cryptocurrency venture, World Liberty Financial, had launched. It has not officially launched. However, the hackers’ links claimed to be “the only official channels of World Liberty Financial.”
An official account for World Liberty Financial confirmed the hack in a separate post on X. “ALERT: Lara’s and Tiffany Trump’s X accounts have been hacked. Do NOT click on any links or purchase any tokens shared from their profiles,” the company said. “We’re actively working to fix this, but please stay vigilant and avoid scams!”
Donald Trump has called himself the first “crypto president” and his campaign is receiving substantial contributions from the crypto industry. However, according to news reports, not all of Trump’s cryptocurrency advocates/supporters are fans of the proposed World Liberty Financial venture.
The compromise of the Trumps’ social media accounts is the latest in a string of attacks on celebrities and high-profile executives’ X accounts, all in the support of cryptocurrency scams. X does provide two-factor authentication choices so subscribers can secure their accounts, and these options include security keys/passkeys.
The goal of security key/passkey technology is to provide the account holder secure and phishing-resistant access to online accounts, like banking, e-commerce, and social media, without using passwords.
Unfortunately, eSentire’s security research team, the Threat Response Unit (TRU), found that X’s security options, in the wrong configuration, can undermine the benefits of security keys/passkeys, making subscribers' accounts vulnerable to cyberattacks.
eSentire has discovered the strongest process for securing one’s X account and is offering security guidance for X, which has never been publicly shared.
In the past year, several other celebrities, high-profile organizations, and executives have also had their X accounts hijacked. In January of this year, the Securities and Exchange Commission’s (SEC) X account was hacked, and the threat actors posted a message to its 660,000+ followers.
The false message claimed that the SEC had approved the listing and trading of spot Bitcoin Exchange Traded Funds (ETFs) and caused the market price of Bitcoin to immediately jump to nearly USD $48,000. The fraudulent X message also included an image and additional message from SEC Chairman, Gary Gensler, where he speaks about the “approval” (Figure 1).
According to X’s security team, someone hijacked control of the mobile phone number associated with the SEC’s account. X’s security team suspected this was done via a SIM swapping attack. There wasn't much about the tweet which would have raised suspicion amongst the typical X users - even those who were security experts.
The security team with X investigated the SEC hack and stated the following message:
“Based on our investigation, the compromise was not due to any breach of X’s systems, but rather due to an unidentified individual obtaining control over a phone number associated with the @SECGov account through a third party. We can also confirm that the account did not have two-factor authentication enabled at the time the account was compromised.”
On August 22, 2024, an executive with McDonald's had their personal X account hijacked. The scheme began on August 21, 2024, when McDonald’s’ corporate Instagram account was breached. The account has approximately 5 million followers. The breach involved a hacker “using the account to promote the memecoin called grimace (GRIMACE30045-USD)". The cryptocurrency is reportedly inspired by McDonald's' purple mascot of the same name.
At the same time that the McDonald’s Instagram account began posting about the memecoin, similar promotional posts began appearing on the personal X account of McDonald’s’ senior marketing director Guillaume Huin, and it was apparent his X account had been hacked.
According to news reports, shortly after the hack, the cryptocurrency's market capitalization rose to around $20 million before dropping to below $1 million, with the hackers presumably cashing out their earnings. The threat actors even updated McDonald's Instagram bio to thank followers for the $700,000 they had fraudulently collected.
Longtime popular rock band, Metallica, also had their X account hacked recently. On June 26, hackers used it to promote a Solana-associated token called METAL. The messages posted to X, by the scammers, contained disinformation with references to Ticketmaster and the participation of the fintech firm MoonPay.
MoonPay’s president, Keith Grossman, quickly denied any association to the scam. News outlets reported that the METAL token briefly experienced a jump in their market cap to $3.37 million, but then it dropped back to $90,000 in several hours.
In July, the popular actress Sydney Sweeney had her X account hacked via a SIM swapping scheme. The threat actor sent out numerous tweets promoting a Solana meme coin before the posts were deleted. Crypto traders poured $13 million into the token within less than an hour before the posts were taken down (Figure 2).
X account holders might ask, “Why should I worry that my X account might be hacked?”
Certainly, for many X members, the likelihood that their account will be breached is nominal. However, if you are a well-known celebrity, high-level executive, or top organization, and you have a wide reach with the public, then chances your account will be targeted by threat actors, especially those perpetrating cryptocurrency scams, are good.
High-profile entities exude trust and credibility, and they often have thousands or millions of followers. Also, when an X account is verified, its followers typically trust information from these sources.
For a business or organization to be verified on X, an account holder will pay up to $1,000 a month to subscribe to X Full Access, provide a photo, provide a display name, and a phone number. The X account that represents a brand or organization needs to ensure the X handle and account name are consistent with the brand or organization’s identity.
For an individual to be verified on X, they will purchase a premium subscription for $8-15 a month, and they must complete a profile and maintain a consistent presence on the platform, they should also link their phone number to the account.
Many organizations or brands also have a website linked to their X account. Unfortunately, when verified X accounts are hacked, the messages they spread appear credible and their followers are easily deceived.
These incidents highlight that even accounts with one of the world’s largest social networking services can be vulnerable to cyberattacks. Security novices might argue that the breaches of these X accounts could have been prevented if the account holders had implemented two-factor (2FA) authentication.
However, this blog will show readers that security keys/passkeys, that are backed up by traditional two-factor authentication processes, such as SMS codes or an authenticator application, can be circumvented by hackers, via SIM swapping and advanced phishing techniques like “Adversary-in-the-Middle" (AitM) attacks.
It is important to note that X is not the only online service whose security key/passkey implementation is vulnerable to attack. In June 2024, eSentire’s TRU team reviewed the implementation of several of the most popular software services’ and online retailers’ security key/passkey authentication flow, and nearly all of them could still be bypassed by AitM phishing, using what TRU calls an “Authentication Method Redaction” attack or AMR attack for short.
An AMR attack is when a subscriber arrives at a software service’s log-in page, and the attacker makes it so that the security key/passkey option doesn’t even appear, the only choice is to sign in with your email address and password.
The software services and online retailers, whose security key/passkeys implementations that could be bypassed by AitM phishing and AMR attacks include Microsoft Live, Amazon’s E-Commerce website (not AWS), eBay, CVS Pharmacy, Target, and Google Gmail accounts (if not protected by Google’s Advanced Protection Program), GitHub, Coinbase, and others.
A successful AitM attack can allow hackers to intercept and potentially gain unauthorized access to a customer’s online financial accounts, email, healthcare records, etc. This kind of access can potentially lead to financial fraud, theft of PII, including personal health records, business email compromise, and so on.
If you are a top organization, high-level executive, or well-known celebrity, TRU cautions one to secure their X account from sophisticated cyber threats. TRU is recommending the adoption of WebAuthn (e.g. passkeys or FIDO2 hardware authenticators), AND the disablement of insecure MFA methods at the same time. This blog will walk readers through the process of securing one’s X account with WebAuthn security keys, providing robust protection against phishing attacks and unauthorized access attempts.
And although a flaw in YubiKey 5’s two-factor authentication security keys has recently been discovered, making them vulnerable to cloning, it is important to note that exploiting this vulnerability requires not only physical access to the YubiKey but also approximately $11,000 USD of equipment to then extract the owner’s private keys from the YubiKeys.
On top of that, the attacker would also need access to the account owner’s usernames, account passwords, PIN codes, or any other authentication keys used to secure the account.
Therefore, using security keys, including the YubiKey, is still one of the most effective ways of securing your X account.
WebAuthn is a web standard that provides a secure and phishing-resistant way to authenticate users. It leverages public-key cryptography, where the user's credentials are stored on a hardware device, such as a FIDO2 hardware key like the YubiKey, or a device that supports passkeys (e.g., modern smartphones and computers).
These credentials are only activated for use when visiting the same site, where they were originally registered, ensuring that they cannot be captured by a phishing site.
While traditional 2FA methods like SMS codes, authentication apps, and backup codes add a small security improvement over passwords, they are no defense against sophisticated modern phishing attacks.
These days, attackers can easily intercept or trick users into revealing these codes, or social-engineer mobile providers into replacing the registered SIM on an account, redirecting the code to the attacker’s phone.
Security keys provide a stronger alternative as it requires access to the user's key stored on a separate device or in a secure enclave, making remote phishing virtually impossible.
Let's walk through the process of securing your X account using security keys.
After setting up your security keys, log out and attempt to log back in. You should be prompted to use your security key to complete the authentication process. This test ensures that everything is functioning correctly and that your account is secure.
By securing your X account with security keys, you protect yourself against AitM phishing attacks. Remember, the key to maintaining security is to disable all insecure 2FA methods and rely solely on security keys as the sole 2FA authentication method wherever it is offered. Stay vigilant and always have redundant security keys for each account!
If you are not currently engaged with a Managed Detection and Response (MDR) provider, we highly recommend you partner with us for security services to disrupt threats before they impact your business. Connect with an eSentire Security Specialist to learn more
The eSentire Threat Response Unit (TRU) is an industry-leading threat research team committed to helping your organization become more resilient. TRU is an elite team of threat hunters and researchers that supports our 24/7 Security Operations Centers (SOCs), builds threat detection models across the eSentire XDR Cloud Platform, and works as an extension of your security team to continuously improve our Managed Detection and Response service. By providing complete visibility across your attack surface and performing global threat sweeps and proactive hypothesis-driven threat hunts augmented by original threat research, we are laser-focused on defending your organization against known and unknown threats.