27 July 2022 - Discord Breach

Introduction

On the 27th July, one of our community managers was compromised. The attacker managed to breach a community manager account and reassign roles. The roles were adjusted so the attacker impersonated @philm and was able to remove the ability to talk from all channels, as well as post announcements with malicious links in a moderator-protected channel, the #announcements channel.

Audit trail

The attacker breached a community manager account at 7:27pm.

At 10:14pm the attacker began to modify roles and disable communication across all channels



At 10:39pm the attacker begun to impersonate @philm

At 10:40pm the attacker removed the #scam-alerts channel and broadcasted announcements in #announcements. This was ongoing for 3 minutes, for the duration of the attack

At 10:41pm the core team noticed and the real @philm responded by deleting the malicious announcements

At 10:42pm the attacker created a webhook linked to the server - Spidey Bot

Response

At 10:45pm @brougkr responded by banning the malicious account, which stopped the malicious messages being sent in #announcements

At 10:48pm the bad role, Mod was removed

At 10:51pm @gitpancake re-enabled the community channels

At 10:53pm all discord invites were removed by @gitpancake

At 10:56pm @gitpancake removed the ability for the Community Manager role to manage roles

Starting at 11:01pm until 11:06pm all Discord Bot integrations were removed

At 11:28pm the Spidey Bot webhook was removed

At 12:27am Bright Moments enforced all Community Managers to have 2FA and removed the roles from existing Community Managers until 2FA was enabled on their accounts

Cause

Many of the attackers we have been dealing with over the last 24 hours joined the server ~1month ago. This has been an ongoing, sustained attempt to attack the Bright Moments discord.

Many of our Community Managers have received Direct Messages from people pertaining to be moderators in a community called Garbage Friends, asking for moderation in their server. Upon joining the Garbage Friends Discord, there is a captcha which looks legitimate, but downloads a tool to steal Discord logins.

Prior to this attack, Community Managers were able to reassign and manage roles without having 2FA enabled, and unfortunately one of our community managers got caught by this trick.

Below are some of the bad actors from the Garbage Friends group.

Moving forwards

  • Community Managers can no longer reassign roles
  • All Bright Moments Community Managers now have 2FA enabled
  • All Bots have been audited and had their tokens refreshed
  • We will no longer accept partnership requests in our Discord
1 Like

Fucking stellar response, from my vantage. Great work, gang!!! It’s appreciated!!