Discord API Private Server Data Disclosure Vulnerability

Summary: John Fraser, the creator of Ethereum-based platform, Origin, created a Discord bot and in the process has discovered the API allows access to information and insights for private servers. Discord “servers” are generally communities for personal and specialized interests. Commonly, “private” discord servers are only accessible to members and as such, the information should not be accessible outside the server. However, the Discord API provides access to the data stored in the servers as Discord chats are not encrypted.

Discord’s vulnerability can allow for impersonation scams and in turn can allow these scammers the opportunity to take over an entire Discord server. Threat actors can use personalized bots to find an intrusion vector or even use paid features of discord to impersonate high-value targets. These weaknesses are further exacerbated by Discord’s target audience and culture as it was not built to withstand dedicated attackers.

Why it matters: Discord is one of the largest social messaging platforms in the world. It is commonly used by users, communities, and companies as a means of communication. Originally, the platform was designed for games, and thus have different security requirements. Given the wide-spread use of Discord, it is an easy target for scammers. Scammer contact through Discord has allowed them to extract information that would otherwise be private. Their activity is not only limited to impersonation and phishing scams, but also the ability to host malware. The threat additionally could allow users to be doxed and have their physical safety at risk. This combination of cyber and physical threats can allow threat actors multiple avenues of attack for financial and other motives.

Human Element a Major Factor in Most Security Attacks

Summary: Verizon’s Data Breach Investigation Report (DIBR) shows that 82% of data breaches last year involved a human element. Additionally, approximately 80% of breaches were also attributed to Organized Crime. Human elements are not limited to phishing scams but also misuse and general human error. Over 20% of human-based attacks were due to social engineering.

Generally, training is the common form of preventing scammers and this impact can be seen by the fact only 2.9% of users click on a phishing email. However, only a small percentage of attacks are required to create a large impact on a company.

Why it matters: The human element in security is commonly seen as the weakest link. Although people can be trained not to click on phishing emails, training commonly lasts longer. Additionally, training is not 100% successful as a small percentage of people still fall for phishing emails. The impact of one data breach can cost companies millions of dollars. Phishing remains the most common method for attackers; however, the human element can also include stolen credentials, insider activity, and configuration error. There is no way of protecting a system 100% and as the cost of each breach increases and thus important to continue to emphasize user education along with technical protection.

Cobalt Strike Unauthorized Deployment
by Threat Actors

Summary: Cobalt Strike is a commonly used commercial penetration testing tool which gives Red Teamers a large variety of tools to work with. The tool can be used for different types of attacks, from spear-phishing simulations to deployment and execution of malware. However, Cobalt Strike is also stolen and actively used by a wide range of threat actors, from Ransomware gangs to APTs (Advanced Persistent Threats).

In the month of June, security researchers have not only noticed a malicious spam campaign that is capable of dropping Cobalt Strike beacons on compromised computers via the Malware “Matanbuchus”. The malware-as-a-service (MaaS) project Matanbuchus was first spotted in advertisements on the dark web boasting a loader that launches executables directly into system memory. Palo Alto Networks’ research group Unit 42 analyzed it last year and noted the malware’s ability to launch custom Powershell commands, use standalone executables to load DLLs, and establish persistence via scheduled tasks.

Why it matters: Threat actors are becoming more and more sophisticated and will also be on the lookout for outdated vulnerabilities to target unpatched or out-of-date host devices. For an ongoing list of IOCs (Indicators of Compromise), please visit this list collected by DCSO and ‘Execute Malware’. It is always important for security teams to stay up-to-date and proactive against new exploits and techniques being used by the ever-evolving threat actors.

Cloudflare’s Record Breaking DDoS Prevention

Summary: On June 14th of 2022, Cloudflare publicly announced it had prevented a record breaking distributed denial-of-service (DDoS) attack the week prior. The attack was a record setting 26 million requests per second (RPS), the largest HTTPS DDoS attack to date in the industry. It was reported that this attack was sourced from a botnet of 5,067 devices with each node generating 5,200 RPS at the peak. DDoS attacks typically are not conducted via HTTPS due to the high cost of establishing a secure TLS encrypted connection, which is costly for the attacker but also more costly for the target to mitigate. This was to ensure a high degree of damage if it were successful. The botnet flooded the target with requests in a time span of 30 seconds from over 1,500 networks spanning 121 different countries ranging from the United States, Russia, Indonesia, Brazil, and many others.

The attack appears to have originated from Cloud Service Providers rather than Residential Internet Service Providers, this pointed to the use of compromised virtual machines and serves as the source devices utilized in the attack. Typically a botnet is easier to build by compromising Internet of Things (IoT) devices such as smart home devices as the security is lower than a commercial target. This is the second such attack prevented by Cloudflare in the year 2022 following the first attack in April of this year. Reports from Cloudflare and other industry leaders have shown a year over year increase in DDoS attacks ranging from 450% to 645% increase with the largest increases following the Russian invasion of Ukraine.

Why it matters: As attackers’ methods and scale continue to change and increase in severity the need for continued innovation in defensive measures is made more apparent. Cloud security service providers have shown incredible growth in resilience with recent botnet DDoS attacks. Continued development is part of the core model of cloud deployments as the continued revenue stream allows for dedicated teams to focus on more specific defensive and preventative measures while other teams can focus on user experience and structural architecture. It has become widely agreed upon that this model provides a solid foundation for the continued growth of the security industry with the results to back it up as attackers push further and further.

Bypassing MFA Through WebView2

Summary: Threat actors have created a clever phishing technique to bypass multifactor authentication (“MFA”). The recent rise of stolen credentials and general cyber threats have led to the increased adoption of MFA. Applying MFAs are not perfect as cyber threat actors and researchers have found ways to bypass MFA through the use of vulnerabilities and other forms of attacks

This newest move shows how the use of Microsoft’s WebView2 applications can allow threat actors to use native apps as a rendering engine for HTML, CSS, and Javascript code. The threat of this attack not only comes from the ability of threat actors to inject code to log user’s credentials and keystrokes but also allowing them to steal cookies. The theft of cookies can bypass MFA by allowing threat actors to use valid sessions to impersonate the login.

Why it matters: The theft of credentials has been on the rise in the last few years. The implementation of MFA was a way to mitigate the threat stolen credentials can pose. The use of stolen credentials could let unauthorized people to not only access but also perform unauthorized activity. Unauthorized activity could cause significant or critical impact to the target company. Such an activity can cause the company financial, operational, and reputational damage. With the increase of cybercrime these last few years, novel attacks on established safeguards could increase as well.

Security Tip of the Month

For the security tip of this month, we would like to emphasize the importance of Software Updates. Normally, software updates give users plenty of new features. These features can be useful or functional improvements for users. No software is perfect and as such updates are needed to improve the software. The software problems can range from bugs that cause crashes or easily exploitable vulnerabilities.

Software updates not only bring the benefits of newer features for users, but they also bring about fixes to discovered vulnerabilities.

Vulnerabilities could be easily exploited by malicious actors and carry the potential of a security breach incident. This practice is applicable not only to personal devices but to corporate ones as well. By performing updates on all machines, it not only strengthens the machines but also helps prevent other machines from getting infected.