Threat Actors Abusing Discord to Spread Malware

Researchers have discovered new multi-function malware abusing the core functions of popular group app platform Discord.

Check Point explained in a blog post this morning that it found several malicious GitHub repositories featuring malware based on the Discord API and malicious bots. It included various features, including keylogging, taking screenshots and executing files.

Discord bots help users automate tasks on the Discord server. However, they can also be used for malicious ends, the researchers warned.

For example, the Discord Bot API can easily be manipulated to turn a bot into a simple Remote Access Trojan (RAT). This doesn’t even require the Discord app to be downloaded to a target’s machine.

What’s more, communications between attacker, Discord server and victim’s machine are encrypted by Discord, making it much harder to detect any malware, Check Point claimed. It said that this could provide attackers with an “effortless” way to infect machines and turn them into malicious bots.

“The Discord API does not require any type of confirmation or approval and is open for everyone to use,” the researchers wrote.

“Due to these Discord API freedoms, the only way to prevent Discord malware is by disabling all Discord bots. Preventing Discord malware can’t be done without harming the Discord community. As a result, it’s up to the users’ actions to keep their devices safe.”

Check Point also found dozens of instances where threat actors used Discord as a malicious file hosting service, with their privacy protected by the app.

“As of now, any type of file, malicious or not, whose size is less than 8MB can be uploaded and sent via Discord. Because the file content isn’t analyzed, malware can be easily spread via Discord,” it concluded.

“As Discord’s cache is not monitored by modern AVs, which alert a user in case a received file is considered malicious, the files remain available for download. Until relevant mechanisms are implemented, users must apply safety measures and only download trusted files.”

#ISC2Congress: How to Mitigate Evolving Insider Threats

The changing nature of insider threats was described by Lisa Forte, founder, Red Goat Cyber Security, during a keynote presentation at this week’s virtual ISC2 Security Congress 2021.

Forte began by noting that traditionally, insider threat actors are seen as ‘bad apples’ within a business, but we have now “moved quite far away from that.” Indeed, many perpetrators do so without malicious intent. She also pointed out that it has become far easier for employees to carry out these acts of espionage on their employers’ thanks to new technologies. For example, mobile phones can be used to take photos of important data, and thousands of documents can be transferred to an SD card. These acts are far easier to conceal than previously when insider threat actors would “have to physically copy large quantities of files.”

Additionally, the rise of social media means that the “biggest threat comes from insider people who get socially manipulated online to hand over information,” according to Forte. She then described a recent case that highlights this tactic. This involved a scientist (John) who was in charge of a team working on sensitive research for a major UK company. He had recently been divorced and was looking to meet a new partner who shared his passion for science, and signed up to dating websites.

John made a professional post on LinkedIn and received a question in the comments from a lady called Sveti. He responded to her via the private message function, and they engaged in scientific discussion before exchanging numbers and continuing the conversation on WhatsApp. Sveti was from Bulgaria and an aspiring environmental scientist. She continued to ask John questions about science and his research and began requesting diagrams and documents to help explain certain concepts. John obliged, flattered by the interest Sveti was showing in him and his work, and they became closer, with the messages taking a romantic turn. Sveti was also an aspiring dancer and would often ask John to critique her performances.

One day, while working at his organization’s lab during the COVID-19 lockdown, John received a message from Sveti asking him to watch a video of her dancing that she was planning to publish online. However, he couldn’t open it on his phone or a PC in his company’s office. She then begged him to try to play the video on an older device, of which there were several in the lab. He attempted this, but the video still failed to play. Yet suddenly, everything started crashing on the lab computer, alerting the company’s security team, who discovered the file was actually malware. After that, John never heard from ‘Sveti’ again – he had been duped by a highly tailored social engineering campaign to steal information and sabotage his organization.

“Likely, John was carefully and meticulously targeted the data and the systems that he had access to”

Forte explained: “Likely, John was carefully and meticulously targeted the data and the systems that he had access to.”

She added that the method of attacking organizations by manipulating their employees is a growing problem. It is also highly effective as high-profile insiders will have access to sensitive systems and data. For example, UK intelligence agency MI5 believes at least 10,000 UK nationals have been approached by fake profiles linked to hostile states on LinkedIn in the past five years.

Other insider threats are conducted intentionally. These fall across three categories: theft, sabotage and fraud. Forte pointed out that even these actors are not always motivated by malice; for example, it may be to pay for a health bill.

Alongside strategies like monitoring, training and collaboration between internal departments, Forte emphasized the importance of culture and well-being in reducing the risk of intentional insider threats. She highlighted ‘City 40,’ a secret city created in 1946 by the Soviet Union for the workers for its nuclear program to illustrate this point. While the residents were not allowed to leave the city or communicate with anyone outside, they developed a strong sense of community and loyalty to the area, which remains to this day. This is because it had the best facilities, services and quality of life of anywhere in the Soviet Union, ensuring the residents were content despite the restrictions they lived under. The purpose was to make the people “personally invested in keeping our secrets,” and it proved to be highly effective.

Forte believes organizations should apply a similar principle to their staff, focusing on their happiness and well-being. While it is impossible to eliminate the risk of insider threats, employees are very unlikely to engage in such activities “as long as they feel valued and that they’ve got a good deal.”

72% of Organizations Experienced a DNS Attack in the Last Year

Nearly three-quarters (72%) of organizations have suffered a domain name system (DNS) attack in the last 12 months, according to a new study by the Neustar International Security Council (NISC).

Of those organizations affected, 61% were targeted on multiple occasions, while 11% have been victimized regularly.

While Neustar noted that DNS attacks are generally a lower concern for security pros than vectors like ransomware, distributed denial-of-service (DDoS) and targeted account hacking, they are becoming increasingly menacing to organizations. According to its latest study, 55% of security professionals consider DNS compromise an increasing threat; this compares to 47% in October 2020.

The most common types of DNS attacks experienced were DNS hijacking (47%), DNS flood, reflection or amplification attacks that segued into DDoS (46%), DNS tunneling (35%) and cache poisoning (33%).

The 302 security professionals from six EMEA and US markets included in the survey were also asked about the damage caused by these incidents. Among those organizations targeted, 58% saw their businesses disrupted for over an hour, 14% took several hours to recover. However, around one-third were able to recover within minutes.

Website disruptions are becoming increasingly damaging to businesses amid the digital shift during COVID-19. More than nine in 10 (92%) respondents agreed their organization’s website is vital to business continuity and customer fulfillment at some level, with 16% entirely enabled by it. Over half (56%) said their website has a significant role in day-to-day activity, and only 8% of organizations believe they can continue conducting business without their website.

Despite this, just 31% of respondents were confident in their organization’s ability to deal with a DNS attack that could take their website offline. Furthermore, over a quarter (27%) admitted they were not confident.

Michael Kaczmarek, vice president of product management for Neustar Security Solutions, commented: “Organizations are challenged to keep pace with emerging security threats in an increasingly borderless digital landscape. Although some attack vectors may not be as visible or pose as imminent a threat as others, it is clear bad actors will exploit any vulnerability they can find sooner rather than later, and they will cost organizations valuable time, resources and business.”

He added: “The latest data indicates that organizations need to remain vigilant, close security gaps, and patrol for potential breaches around the clock.”

Space ISAC and NY InfraGard to Collaborate on Cybersecurity in Space

The Space Information Sharing and Analysis Center (Space ISAC) and the New York Metro InfraGard Members Alliance (NYM-IMA) have agreed to work together to advance the mission of cybersecurity in space. 

A Memorandum of Understanding (MOU) enabling collaboration between the two organizations was signed earlier this month. In a statement released to announce the news, the organizations said that the aim of the partnership was to promote broad-based participation by members of both organizations.

This participation will take the form of enhanced educational initiatives, training of both users and operators, and intelligence-sharing activities in the space domain.

Space ISAC serves to facilitate collaboration across the global space industry. The organization defines its mission as “to enhance the ability to prepare for and respond to vulnerabilities, incidents, and threats; to disseminate timely and actionable information among member entities; and to be the primary communications channel for the space sector with respect to this information.”

To date, Space ISAC has teamed up with a broad range of organizations that spans the entire horizon of the space industry. Collaborations have been set up with organizations in space missions, education and research, space business systems, launch, space systems engineering, payload design, space vehicles, cybersecurity, space communications, intelligence, cloud, the space supply chain, data processing, and more.

“We are delighted to collaborate with the NY Metro InfraGard Members Alliance as a partner in our global space community,” said Erin Miller, Space ISAC executive director.

“We can work together to increase security and resilience in the space sector and anticipate this collaboration will assist with long-term space security.”

Non-profit organization InfraGard is a proactive collaboration between the FBI and the private sector for the protection of United States critical infrastructure. 

“All the Critical Infrastructure sectors are reliant upon the services within space, such as the Global Positioning System (GPS), modern communication networks, and satellite technologies,” said Jennifer Gold, vice president and IT sector chief of NY Metro InfraGard. “The data collected and transmitted in space informs all sectors. 

“In the best interest of our nation, we must secure the vulnerable technology in space to defend against the most consequential cyber-threats.”