Links

Hacked Discords

Hacked Discords - April 1st, 2022

Incident Learning Report

On the morning of April 1st, the Bored Ape Yacht Club Discord was hacked and there was an announcement posted about minting mutant dogs (BAKC) and staking it for $APE.
Users that clicked on the link would be taken to an external scam website that would let you mint an NFT and get you to sign a transaction with approvalAll permission that the hackers would then use to siphon off your most valuable NFTs from your wallet.
This was a coordinated hack and similar messages were posted in the DOODLES discord server along with 7 other discord servers.

Timeline

Time issue was in effect: 2 hours Time to resolve issue once discovered: 45 mins (bug patched in TicketTool Discord bot)
All times are in CST
12:30am: BAYC Discord was hacked
12:52am: BAYC tweeted about it and locked down their server
1:46pm: TicketTool Discord Bot identified as the root cause
2:34pm: The bug was patched in the TicketTool bot

Identified Root Cause

Looks like 3 discord bots were hacked or had a bug such that anyone (with just user roles) could create an assign webhooks to themselves. This allowed the hackers to above this webhook and post announcement messages in these discord sever trying to get users to go to their scam website.
A recent update I made to the add command had a bug allowing for some type of permission exploit.
From the creator of Ticket Tool Discord Bot: https://twitter.com/Ticket_Tool/status/1509796229047275559

Resolution

The affected Discord Bots were disabled from the server and this invalidated the authorization token & webhooks that the hackers used to post messages in the discord server.
Additionally, the hacked Discord Bot were also patched up. Ticket Tool has stated they've reverted to the previous uncompromised version that doesn't have the bug. And they've also regenerated their Discord token just in case.
I've reverted the update to the previous uncompromised version and will be looking into exactly how this happened.
The bot itself is not compromised beyond a very unfortunate bug.
From the creator of Ticket Tool Discord Bot: https://twitter.com/Ticket_Tool/status/1509796229047275559

Estimated Impact

Hacked Discord
Hacked Bots
  • Ticket tool bot
  • Captcha bot
  • Arcane bot
Assets Lost
  • 1 Mutant and a fractional ETH from BAYC discord
  • 1 WOW, 1 HAPE, 1 Space doodle, 1 azuki from Doodles discord
  • Potentially other less-valuable NFTs from the other servers

Recommendations

  • Avoid installing any 3rd party Discord apps that utilize Discord Webhooks
  • When installing new Discord Bots, check every permissions it request & ensure no admin permissions are granted
  • Ensure all Discord Admins have 2 Factor Authorization (2FA) turned on
    • By requiring all admin accounts to have 2FA turned on, you protect your server from malicious users who might try to compromise one of your moderators or administrators accounts and then make unwanted changes to your server.
  • Close your DMs and change your password regularly
    • Discord DMs are a very easy target for luring users to deal that are too good to be true
    • Discord DMs don’t have any sort of social verification (unlike twitter) so it’s hard to know who you are talking to
Here’s Discord’s official recommendation for keeping your server secure: https://discord.com/safety/360043653152-Four-steps-to-a-super-safe-server

Sources