27 July 2022 - Discord Breach

πŸ“₯ Feedback
#1

Introduction

On the 27th July, one of our community managers was compromised. The attacker managed to breach a community manager account and reassign roles. The roles were adjusted so the attacker impersonated @philm and was able to remove the ability to talk from all channels, as well as post announcements with malicious links in a moderator-protected channel, the #announcements channel.

Audit trail

The attacker breached a community manager account at 7:27pm.

screen1
screen11320Γ—276 23.6 KB

At 10:14pm the attacker began to modify roles and disable communication across all channels

screen2
screen21324Γ—522 40.7 KB

screen3
screen31362Γ—260 25.2 KB

screen4
screen41340Γ—1042 57.4 KB

At 10:39pm the attacker begun to impersonate @philm

image
image1372Γ—218 58.5 KB

At 10:40pm the attacker removed the #scam-alerts channel and broadcasted announcements in #announcements. This was ongoing for 3 minutes, for the duration of the attack

At 10:41pm the core team noticed and the real @philm responded by deleting the malicious announcements

screen6
screen61334Γ—264 39.3 KB

At 10:42pm the attacker created a webhook linked to the server - Spidey Bot

image
image1378Γ—296 40.9 KB

Response

At 10:45pm @brougkr responded by banning the malicious account, which stopped the malicious messages being sent in #announcements

image
image1348Γ—152 43 KB

At 10:48pm the bad role, Mod was removed

image
image1380Γ—144 23.1 KB

At 10:51pm @gitpancake re-enabled the community channels

image
image1344Γ—418 68.2 KB

At 10:53pm all discord invites were removed by @gitpancake

At 10:56pm @gitpancake removed the ability for the Community Manager role to manage roles

image
image1370Γ—262 36.5 KB

Starting at 11:01pm until 11:06pm all Discord Bot integrations were removed

image
image1386Γ—1126 165 KB

At 11:28pm the Spidey Bot webhook was removed

image
image1380Γ—150 50.6 KB

At 12:27am Bright Moments enforced all Community Managers to have 2FA and removed the roles from existing Community Managers until 2FA was enabled on their accounts

image
image1380Γ—570 81 KB

Cause

Many of the attackers we have been dealing with over the last 24 hours joined the server ~1month ago. This has been an ongoing, sustained attempt to attack the Bright Moments discord.

Many of our Community Managers have received Direct Messages from people pertaining to be moderators in a community called Garbage Friends, asking for moderation in their server. Upon joining the Garbage Friends Discord, there is a captcha which looks legitimate, but downloads a tool to steal Discord logins.

Prior to this attack, Community Managers were able to reassign and manage roles without having 2FA enabled, and unfortunately one of our community managers got caught by this trick.

Below are some of the bad actors from the Garbage Friends group.

5E3F9B461EE012110CB30
5E3F9B461EE012110CB30623Γ—1024 38.6 KB

Moving forwards

  • Community Managers can no longer reassign roles
  • All Bright Moments Community Managers now have 2FA enabled
  • All Bots have been audited and had their tokens refreshed
  • We will no longer accept partnership requests in our Discord
1 Like
#2

Fucking stellar response, from my vantage. Great work, gang!!! It’s appreciated!!