--- tags: post-mortem --- # Discord Incident: Compromised Admin Role ## Comprehensive Post-mortem Report ### Incident Background On March 9th, our Discord server faced a security incident when an unauthorized individual gained control of a privileged role, specifically the "miniadmin" role. The compromised account belonged to a once highly active and trusted member, who, due to changing circumstances, had become less active recently. The compromise occurred when the member unwittingly fell victim to a verification bot in another server, executing a script that extracted their Discord login auth session and granted the attacker full control over the account (drag to bookmark attack). ### Incident Details #### Exploitation and Role Manipulation Upon gaining access, the attacker exploited the compromised admin account to manipulate the server in the following ways: 1. **Notification Settings Manipulation:** - Turned off notifications for other admins to avoid early detection. 2. **Creation of Special Role:** - Created a special role, assigning it to all server members except the compromised admin and other actively monitoring users. THis way they could send notifications to this role without detection. 3. **Webhook Modification:** - Changed the webhook of a notification bot to disseminate scam/phishing notifications, avoiding notice by actively monitoring users. #### Administrative Hurdles Due to the privileged nature of the compromised account, other privileged roles were unable to remove it. The server owner, crucial in this situation, was out of town and unresponsive. The only option was to contact the member directly through alternative channels to prompt a password change and invalidate the current session. ### Incident Response #### First Line of Defense: User Recognition Vigilant members recognized the suspicious behavior of the notification bot and attempted to issue warnings. Unfortunately, these warnings were deleted promptly by the compromised admin account. Rapid communication through alternative channels to different admin accounts allowed the community to acknowledge and address the issue swiftly. #### Cleanup and Damage Control The aftermath required meticulous cleanup, including rectifying unjustly banned users and restoring normal server functioning. Ongoing education initiatives to help members recognize and respond to potential threats are crucial to preventing future incidents. ### Lessons Learned and Future Measures 1. **Active Privileged Role Management:** - Periodically review and manage privileged roles, especially those held by inactive members, to minimize the potential impact of compromised accounts. 2. **Education and Awareness:** - Ongoing education initiatives should empower members to recognize and respond to potential threats, emphasizing the importance of reporting suspicious activities promptly. 3. **Communication Protocols Enhancement:** - Strengthen communication protocols to facilitate prompt contact with critical personnel during security incidents, especially when server owners are temporarily unreachable. 4. **Security Measures for Admins:** - Admins and members with privileged roles should receive enhanced training on various methods attackers may use to steal sessions, fostering a culture of caution and vigilance. ### Conclusion The incident underscores the necessity for continuous improvement in security practices and member education. Recognizing and appreciating the efforts of vigilant users, coupled with proactive measures such as active role management and enhanced communication protocols, will contribute to a more resilient and secure Discord server in the future. Ongoing efforts to educate and empower the community to recognize and respond to potential threats will be crucial in maintaining a safe online environment.