Discord Wasnt Hacked ?!?!?
Using Counter-Insurgency Tactics straight from the manual to take down Hacking Groups
Soooooo you might have seen the whole scare that discord was hacked being posted everywhere. well to stop that Discord wasn’t hacked, people were just dumb and got caught up in a really bad phishing campaign by a small-time hacking group that I will not post the name of because I don’t want to give recognition to the group.
Through this phishing campaign, they got access to over 6000 credentials of which 4800+ were still active as of last night (20th June 2018) according to reports of a certain skid server using a custom account testing tool, that used the API keys to post messages and wait for a response.
So ok 4800+ people lose their accounts why the panic on your Twitter, to follow the common saying “stop bitching change your password ???”, well see it’s not the people that are just affected here with this breach, its hundreds of communities of people. so this part needs some back story. So a certain skid group, myself and other members of the BackSlash Intelligence Group “a volunteer group, who volunteer their time and abilities to track down missing people, investigate APT’s, track terrorist cells and assisting in fugitive recovery” have been investigating a hacking group who have been attacking multiple discord servers and wiping large communities, away as fast as they join.
This came across our table when someone we know who was developing a bot for intelligence use, accidentally leaked the token for their bot on GitHub, this “hacking group” I use that term very lightly here, used and abused the token, deleting all the channels, banning all the members of lower privilege, changing the server name, picture and leaving a nasty little message for the owner or higher privilege person to find it on the server, in this case, destroying a little community, leaving the members no way of ever communicating again unless they were friends or had past contact.
So not an issue for one or two tokens, but the issue with people who are new to secure coding or coding in general and as a project make a bot for the favorite gaming platform, post their code on GitHub with hardcoded API tokens to save time. This group was grabbing these tokens… Ok so back to the leak how does this affect things, well part of the leak was 6000+ API tokens for users. so while monitoring this group a chat came up in the general channel about modifying the current code to accept user tokens, and their tool was up and running. So again it’s only 6000+ users why is that an issue????
well let’s say you have a server with 5000+ members 200+ channels and is a highly active community of hundreds of regular users, now let’s say you have an Admin on your server, that admin belongs to 40+ servers and is an admin in multiple communities or has high privileges at the minimum in multiple servers. So you have a user token, now let’s say you have a bot that forces commands to the user through the API or even a group of people manually exploiting the users with logging, these attackers start sending commands such as ban all users .etc .etc then you turn this list of say 6000+ API’s instead of one sever each could at minimum have privilege on say 2 servers each so your talking 12000+ servers affected and possibly even more. I don’t know about you but if even 10 of these communities are similar to TheManyHatsClub that is a lot of people individually affected by this.
The bad part about this, the leaked tokens list was dropped by one of the original leakers on the skid server before it was mentioned publically, as soon as we saw this, we alerted discord in multiple ways 20+ minutes before the incident but nothing happened, but the reply from @discord verified account was as followed “itsa fakkkkke”
All we could do was watch as this group of skids wiped multiple servers, wiping away communities with hundreds of users and laughing as they did and yes I can confirm these where huge communities as they dropped invites to each server in their chat I could see one had nearly 6000 members and belonged to a Twitch streamer, they joked about how they where gonna watch the stream to see the reaction.
So where does the counter-insurgency tactics come in?, well right now, like Iv said we have been monitoring this group that has been doing this specific group for a few days, gathering Open-Source Intelligence “OSINT” on each of the admins, building rapport with shot callers through the use of Human Intelligence “HUMINT” and Social Engineering. Building enough rapport to the point of being given a copy of the custom scripts they are using by the developer himself, how to use it, exactly how it works and how they use it.
In the image on the right, it is heavly redacted as to protect the cover Idenities of the people invovled, but here you can see the code being shared which included and indepth description of how it works
So now for countering the Cyber-Insurgency,
0 – The Setup
The setup was to have multiple parts of your team set up inside the server at different levels of usability, and build the backstory that they don’t know each other, even to the point the team was calling out each member of the team or making jokes about them.
What you can see on the left is the team sitting in Voice Chat discussing the operation and how to interact with each other in the server to build the cover
1 – Build Rapport with the targets
This was done through common social engineering tactics, the most common is finding the common connection an example of this would be
“Oh you like Red, I like Red Too”
An amount of commonality can build a low level of rapport. This can lead them to build trust with you and allow you to get things such as operational details or even the Source Code to the bot, just by asking in the right way
The one marked red is the investigator
2 – Take their Security away
This is an important step, this causes the targets to act irrational and without thinking meaning there is a high chance they will fail they’re opsec and reveal identifiable information about themselves.
This was done by in-depth research searching for their usernames and attribution to each of the targets.
How this worked the team would randomly talk about things in the target’s life such as names of locations and things they do for example, “Wow, the weather in valley falls was so bad today, at least I still got to go to the food fair with my friends”
This prompted responses of “OH I was there too”, or a direct message “hey, were you there” or “how did you know I was there” the response leads into the next step
Below is just an example of ways area-based data was found
3 – Inside Threats
This step involved making evidence that indicates the people in charge hate each other, ie sharing code or personal details in Direct Messages de-anonymising each other, and have them watching everything the other person is doing.
This leads to paranoia and a lack of trust between the targets but allows the investigator to be able to build more trust with the target for letting them know what’s happening.
4 – Divide and Concur
This is the final nail in the coffin as to say in many cases it involved getting the targets in charge to hate each other to the point they disagree on everything.
Even to the point that they cant continue on current operations because they can’t agree on the best targets or approaches.
Or remove each other from situations, like in the image on the left one owner easily removed from the other for a private channel
The one marked in red is the investigator
5 – Burn it down
This is nearly the end, it involved building fear by making fake fear for example,
“I just had a cop, at my house asking about this discord, WHATS HAPPENING, they said someone gave them our names”
this sparks fear for the members, and people will start to get worried, They will jump ship while they can, The rest will start to look at each other with a lack of trust, trying to figure out who leaked their details.
At this stage it is easy to have the community lose faith in leadership and start revolting against the owners, admins run away from the shitstorm and owners deletes the server
6 – Scatter The Ashes
The final step, use their weapons against them and have them disband and vanish. This is a multitude of tactics, including social engineering, using what powers they had given us on the server, as well as using the assets we had turned from their inner circle, who were providing the team In-depth Intelligence on each other, and operations
There were multiple groups, and these operations spanned multiple locations. Which meant one of the team getting an account that was in multiple servers burnet, but that didn’t stop the operation, at this stage, it was easy to turn the situation around to benefit the operation.
What you see on the right after the investigator was burnt, because another skid group who we were also monitoring for doing the same invited the server owner to their server, and they saw the comments of the investigator. At this point, the rapport was so high that the target jumped to help the investigator when they said they played the damsel in distress card.
The one marked in red is the investigator
At the end of it all, all screenshots and a full report was submitted to the proper contacts at discord, to which all the owners and admins of the servers where banned by discord, and their server was wiped for a breach of Discord Terms of Service. This was the best outcome, it is possible they lost their contacts on the accounts, scripts, connections, creds, and possibility of other communities they were involved in doing these activities.
With these steps, the Skid Community that had taken down multiple other communities was now itself was taken down, but not before the infighting lead the owners to attack and taken down 2 other communities who were doing the same style of attacks, by a small motivated team and a single backslash \ in the chat before their server was wiped, many just sat and watched as the Discords security team banned the users and deleted the server.
Now as for the Fix, well it’s simple, alot of this could have been prevented when it was originally reported by resetting all the current Discord API tokens in the list, or as we found a simple way to reset your API token is to set up 2FA on your account, for some reason this generates and new auth token if you want a good guide to follow on this, check out this blog post – https://blog.daniel-milnes.uk/calm-down-discord-hasnt-been-hacked/
as of writing this, I can confirm that discord has now taken our intelligence onboard in implemented a system that alerts a user that their token has been publically posted on platforms such as GitHub and also reset these token so that this style of attack cant happen the same way again. The unfortunate side that can’t be fixed is the Human Error, where those who where put in a large dump of API key’s where phished using a simple campaign, as it has been said before,