A brand new assertion from the Securities and Alternate Fee (SEC) defined that the regulator’s X account was compromised after a risk actor was capable of acquire management of the cellphone quantity related to the account, in a SIM-swapping cyberattack.
SIM-swapping assaults are a standard method for risk actors to hijack social media accounts, crypto wallets, and extra.
The SEC admitted its employees deliberately disabled multi-factor authentication (MFA) protections on the X account in July 2023 after there was a difficulty accessing the @SEC.gov deal with.
“As soon as entry was reestablished, MFA remained disabled till employees reenabled it after the account was compromised on January 9,” the SEC stated in its assertion on Jan. 22. “MFA presently is enabled for all SEC social media accounts that supply it.”
The SEC X account was breached on Jan. 9 by crypto hackers who posted a message relating to Bitcoin ETFs, which briefly triggered the worth of Bitcoin to spike.
Federal legislators have referred to as for inquiries into the incident and investigations are ongoing by companies together with the SEC Inspector Basic, the Federal Bureau of Investigations (FBI), Division of Justice (DoJ), and Cybersecurity and Infrastructure Safety Company (CISA), the assertion stated.
SIM Swapping Protection Is Difficult
SIM swapping, particularly, is hard to defend towards, Will Glazier, director of risk analysis for Cequence Safety, stated in a press release.
“The act of social engineering of convincing the telecom worker(s) to port over a cellphone quantity is definitely one of many final steps within the assault chain,” Glazier stated. “Earlier than that happens, attackers continuously attempt to abuse APIs, a lot of that are publicly uncovered to the web with no authentication, by design, as a result of they permit enterprise development.”
He added that wi-fi carriers deliberately make it simple to maneuver a selected cellphone quantity to a competing service to make it simple for customers to make a swap to a brand new community.
“Attackers can study which cellphone numbers belong to which carriers, by studying which cellphone numbers should not eligible to be ported over, as a result of they already belong to stated service,” he defined.
