Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Attacks/Breaches

11/7/2019
06:15 PM
Connect Directly
Twitter
LinkedIn
RSS
E-Mail
100%
0%

Twitter & Trend Micro Fall Victim to Malicious Insiders

The companies are the latest on a long and growing list of organizations that have fallen victim to users with legitimate access to enterprise systems and data.

Two separate incidents reported this week have once again highlighted how insiders with legitimate access to systems and data can be far more dangerous to enterprise security than external attackers.

On Thursday, the US Department of Justice announced indictments against two former Twitter employees for allegedly accessing private information tied to Twitter accounts belonging to several individuals of interest to the government in Saudi Arabia. A third individual based in Saudi Arabia was also indicted on related charges.

US national Ahmad Abouammo (age 41) of Seattle and Aliz Alzabarah (35) of Saudi Arabia are accused of using their Twitter employee credentials to collect information that helped Saudi officials identify individuals critical of the regime in the country. They are alleged to have provided the information — which included email addresses, phone numbers, IP addresses, and dates of birth — to officials working on behalf of the Saudi government and the Saudi royal family.

The charging documents described Abouammo as a former media partner manager at Twitter responsible for the Middle East and North Africa region.

In that role, he was involved in assisting notable Twitter accounts in the region — including those belonging to brands, journalists, and celebrities — with content and Twitter strategy as well as sharing best practices. Alzabarah was a site reliability engineer, with no authorized access to the Twitter account data. Even so, he is alleged to have accessed nonpublic data associated with more than 6,000 accounts, including 33 accounts for which Saudi officials had previously pressed Twitter for more information.

Abouammo allegedly received a luxury watch valued at more than $20,000 and hundreds of thousands of dollars in cash in return for the information. He was arrested in Seattle on November 5 and made his first court appearance today.

Alzabarah fled the country for Saudi Arabia after Twitter officials confronted him about his illegal activities. A federal warrant has been issued for his arrest and also that of a third individual, Ahmed Almutairi, 30, a Saudi-based individual who is alleged to have facilitated meetings between Saudi officials and the two former Twitter employees.

In a statement, a Twitter spokesman said the company is committed to protecting the privacy of individuals who use its platform to advocate for human rights, equality, and individual freedom. "We recognize the lengths bad actors will go to try and undermine our service," the spokesman said. "Our company limits access to sensitive account information to a limited group of trained and vetted employees."

Meanwhile, in a separate development, cybersecurity vendor Trend Micro on Wednesday said one of its employees had illegitimately accessed personal data belonging to about 68,000 of the company's 12 million customers.

According to the security vendor, one of its employees used "fraudulent means" to access a customer support database containing names, email addresses, support ticket numbers, and, in some cases, the phone numbers of customers. He is alleged to have sold that information to a third-party malicious actor who then used it to attempt to scam Trend Micro customers. 

Trend Micro was alerted to the data theft in August after some customers of its consumer security products reported receiving scam calls for people purporting to be the security vendor's support personnel. It wasn't until October, however, that the company was able to identify the source of the leak. The employee has been terminated.

A Long-Standing Problem
Trend Micro and Twitter are the latest in a long and constantly growing list of victims of insider abuse — a problem that many security experts say poses at least as big a risk to enterprise security as external attacks. Twenty percent of the security incidents that Verizon's breach response group handled in 2018, and 15% of the actual breaches it investigated, involved insiders. Nearly half of those incidents (47.8%) were motivated by financial gain and a surprisingly high 23.4% by people seeking "pure fun."

Insider threats present a special challenge because most security is focused at protecting incoming traffic, says Warren Poschman, senior solutions architect at comforte AG. Internal, properly authorized users are expected to be able to access data because it is part of their job functions.

"The premise of 'you can't deny what is granted' applies in that if an insider has legitimate access, then it is difficult to determine if a behavior is allowable," Poschman says. True intent can be hard to determine until after damage is done because legitimate user behavior can often be erratic, he adds.

Several tools are available to address insider threats, including user behavior analytics and risk-based authentication products. Data-centric measures such as tokenization and format-preserving encryption can also help by limiting access to sensitive data for all users regardless of the permissions they have, Poschman says.

Terry Ray, senior vice president at Imperva, says trying to proactively restrict all employees to just the data they need can be complex and even next to impossible for enterprise security organizations. Even a zero-trust approach — where every access request to a network or app is vetted for trustworthiness — has limitations when it comes to malicious insiders, he says. "The only aspect of zero trust that might have benefited Trend Micro would be least privileged access — the idea that each individual should only have access to what they need for their role," he says.

To be effective, insider controls have to be based on a continuous monitoring of all user access to protected data. To spot unusual behavior, organizations need to be constantly analyzing who accesses data, what they access, how they access it, from where, and whether they should they have access to it.

"Monitoring user activity on corporate data is not only fully accepted, it's assumed by employees," Ray says.

Few, though, implement full data monitoring, and when they do, typically only the regulated data is monitored. The reality is that unregulated data is becoming more relevant at companies as well. "Unregulated data may still be highly monetized by attackers and can have negative impact on organizations," Ray notes, "regardless of a lack of regulatory fines."

Related Content:

Check out The Edge, Dark Reading's new section for features, threat data, and in-depth perspectives. Today's top story: "What a Security Products Blacklist Means for End Users and Integrators."

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Mobile Banking Malware Up 50% in First Half of 2019
Kelly Sheridan, Staff Editor, Dark Reading,  1/17/2020
Exploits Released for As-Yet Unpatched Critical Citrix Flaw
Jai Vijayan, Contributing Writer,  1/13/2020
Microsoft to Officially End Support for Windows 7, Server 2008
Kelly Sheridan, Staff Editor, Dark Reading,  1/13/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
The Year in Security: 2019
This Tech Digest provides a wrap up and overview of the year's top cybersecurity news stories. It was a year of new twists on old threats, with fears of another WannaCry-type worm and of a possible botnet army of Wi-Fi routers. But 2019 also underscored the risk of firmware and trusted security tools harboring dangerous holes that cybercriminals and nation-state hackers could readily abuse. Read more.
Flash Poll
[Just Released] How Enterprises are Attacking the Cybersecurity Problem
[Just Released] How Enterprises are Attacking the Cybersecurity Problem
Organizations have invested in a sweeping array of security technologies to address challenges associated with the growing number of cybersecurity attacks. However, the complexity involved in managing these technologies is emerging as a major problem. Read this report to find out what your peers biggest security challenges are and the technologies they are using to address them.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-7227
PUBLISHED: 2020-01-18
Westermo MRD-315 1.7.3 and 1.7.4 devices have an information disclosure vulnerability that allows an authenticated remote attacker to retrieve the source code of different functions of the web application via requests that lack certain mandatory parameters. This affects ifaces-diag.asp, system.asp, ...
CVE-2019-15625
PUBLISHED: 2020-01-18
A memory usage vulnerability exists in Trend Micro Password Manager 3.8 that could allow an attacker with access and permissions to the victim's memory processes to extract sensitive information.
CVE-2019-19696
PUBLISHED: 2020-01-18
A RootCA vulnerability found in Trend Micro Password Manager for Windows and macOS exists where the localhost.key of RootCA.crt might be improperly accessed by an unauthorized party and could be used to create malicious self-signed SSL certificates, allowing an attacker to misdirect a user to phishi...
CVE-2019-19697
PUBLISHED: 2020-01-18
An arbitrary code execution vulnerability exists in the Trend Micro Security 2019 (v15) consumer family of products which could allow an attacker to gain elevated privileges and tamper with protected services by disabling or otherwise preventing them to start. An attacker must already have administr...
CVE-2019-20357
PUBLISHED: 2020-01-18
A Persistent Arbitrary Code Execution vulnerability exists in the Trend Micro Security 2020 (v160 and 2019 (v15) consumer familiy of products which could potentially allow an attacker the ability to create a malicious program to escalate privileges and attain persistence on a vulnerable system.