X Major cybersecurity company Mandiant’s account was hacked because it was not properly protected
January 11, 2024
Cybersecurity company Mandiant’s X account may have been hacked using a brute force password attack, the company has revealed.
Last week, attackers hacked cybersecurity company Mandiant’s X account and used it to impersonate the Phantom crypto platform and share cryptocurrency scams.
Mandiant, a company owned by Google, has more than 120,000 followers on its X account.
Once the cybercriminals took control of the account, they changed its name to @phantomsolw and began promoting a fraudulent website masquerading as Phantom encryption service.
The attackers exploited this account to facilitate airdrop fraud. Followers were encouraged to see if they were among her 250,000 lucky people eligible to receive free tokens. The scam was designed to extract funds from the victim’s wallet.
This account was under the attacker’s control for several hours.
“We are aware of an incident that affected the Mandiant X account. We have since regained control of the account and are currently working on restoring it,” a Mandiant spokesperson told multiple media read the statement sent to.
The attackers also trolled Mandiant with posts such as: “We’re sorry, but please change your password.” “Please check your bookmarks when you get your account back.”
Mandiant has begun an investigation into the incident.
“We have concluded our investigation into last week’s Mandiant X account takeover and determined that it was likely a brute force password attack isolated to this single account.” Said With X.
The security firm revealed that it was hacked as a result of a “brute force password attack” carried out by a drainage-as-a-service (DaaS) group.
The company admitted that the account was not properly secured because 2FA was not enabled.
The attack occurred on January 3, 2024, and the company’s X account was used to distribute links to a phishing page hosting a cryptocurrency dumpster tracked as CLINKSINK.
Since December 2023, multiple attackers have used CLINKSINK drainers to conduct campaigns to steal funds and tokens from Solana (SOL) cryptocurrency users.
Drainers are malicious scripts and smart contracts that attackers use to steal funds and digital assets from victims’ cryptocurrency wallets after being tricked into approving a transaction.
“The identified campaign included at least 35 affiliate IDs associated with a popular Drainer-as-a-Service (DaaS) using CLINKSINK. They provide drain scripts to affiliates in exchange for a percentage (usually around 20%). The total amount of assets stolen by affiliates in these recent campaigns is estimated to be at least $900,000.” Masu report Published by Mandiant Publishing.
Attackers used social media and chat applications (X and Discord) to spread crypto-themed phishing pages to trick victims into connecting to their wallets and requesting fake token airdrops.
“The CLINKSINK phishing domains and pages observed utilized a wide range of fake token airdrop-themed lures masquerading as legitimate cryptocurrency resources, including Phantom, DappRadar, and BONK (Figures 1-3). These phishing pages are loaded with malicious CLINKSINK JavaScript drainer code to facilitate connection to victims’ wallets and subsequent theft of funds.” “When a victim visits one of these phishing pages, they are prompted to connect to their wallet to request an airdrop of tokens. Once connected to their wallet, the victim is prompted to sign a transaction to the Drainer service. This allows them to siphon funds from victims.”
CLINKSINK drainer is developed to check the current balance of a wallet and trick victims into stealing crypto assets and signing fraudulent transactions.
Mandiant has discovered a number of DaaS products that currently rely on CLINKSINK drainers, including a “Chick Drainer” that may operate at least partially as a “Rainbow Drainer.” ”
Researchers speculate that Drainer’s source code could be made available to multiple attackers, allowing them to carry out independent campaigns.
“Many drainers are widely available and low cost, which, combined with relatively high profit potential, is likely to make them attractive ventures to many financially motivated parties.” CLINKSINK Drainer Activities The report, which includes YARA rules for detection, concludes: For the foreseeable future. ”
Follow us on Twitter: @securityaffairs and Facebook and mastodon
(Security related matters – Hacking, Mandiant)