At 0:19 AEST a moderator’s Discord account was compromised leading to permissions being changed, users banned, and a scam announcement posted in the #protocol channel.
The incident was detected very quickly by the community and the community manager was alerted at around 0:28.
The intruder proceeded to:
- Lock and change permissions on channels so no messages could be sent
- Disable Wick
- Ban Kron
- Ban Rocket Scientists
- Ban other members
- Posted a scam announcement about a fake airdrop in the #protocol channel
The community manager, first responder and compromised account, reached out to other team members and started containing the impact. They removed the scam announcement and revoked all other logins.
With the situation seemingly stabilised but the full extent of the compromise unknown, the priority was to maintain the status quo without risking any further attacks. Reinstating some banned accounts could be completed manually, but restoring the remaining server permissions and roles took several hours to complete.
At 0:19 AEST, moderator’s Discord account was compromised
At 0:20 AEST, permissions changed on channels, Kron and Rocket Scientists banned
At 0:26 AEST, more permissions changed on channels and channels locked
At 0:28 AEST, community alerted the first responder (community manager) who reached out other team members and started containing the impact.
At 0:29 AEST, first responder immediately removed the scam announcement and reestablished some permissions over the channels.
At ~0:38 AEST, community started spreading the word on Twitter
At 0:39 AEST, more community members banned by intruder
At 0:43 AEST, more community members banned by intruder
At 1:17 AEST, first responder started unbanning community members
At 5:53 AEST, other admins became available to help with the server permission fixing
At 6:16 AEST, permissions reset for various channels and remaining members unbanned
At this stage the exact attack vector is unknown, but a malicious/compromised public wifi network is a likely culprit. Every moderator has 2FA in place so the likely cause is a session hijacking, through a compromised wifi (on mobile) or less likely an open Discord session on a sleeping laptop.
Further investigation is being conducted to gain more knowledge of the possible attack vector and ensure it cannot be used again.
What went well?
The incident was detected very quickly and the scam announcement was removed. Containment was conducted efficiently and carefully. The community did an amazing job of spreading the word on Twitter and generally watching out for each other.
What could be improved?
From a security perspective, the following corrective actions have been identified during root cause analysis:
- Do not use public wifi networks, use phone data instead, or ensure mobile VPN
- Close open Discord sessions at end of day
Although the community alerted the community manager quickly and the incident was dealt with swiftly our out-of-hours contact procedures could be improved.