Search This Blog

Showing posts with label CDN. Show all posts

Discord CDN and API Exploits Drive Wave of Malware Detections

 

As per the researchers, the number of reported Discord malware detections has increased significantly since last year. Even users who have never interacted with Discord are at risk, even though the network is mostly utilized by gamers as Discord has a malware problem.

Discord develops servers, or unique groups or communities of people, who can communicate instantly via voice, text, and other media. 

According to research issued by Sophos, occurrences have increased 140 times since 2020. The major cause of the Discord spike is its content delivery network (CDN) and application programming interface (API), both of which have been exploited by cybercriminals. 

The CDN of Discord is being exploited to host malware, while its API is being utilized to exfiltrate stolen data and allow hacker command-and-control channels. 

Since Discord is extensively used by younger gamers who play Fortnite, Minecraft, and Roblox, most of the virus floating around involves pranking, such as using code to crash an opponent's game, as per Sophos. However, the increase in data thieves and remote access trojans is more concerning, according to the report. 

“But the greatest percentage of the malware we found have a focus on credential and personal information theft, a wide variety of stealer malware as well as more versatile RATs. The threat actors behind these operations employed social engineering to spread credential-stealing malware, then use the victims’ harvested Discord credentials to target additional Discord users,” the report added. “And this excludes the malware not hosted within Discord that leverage Discord’s application interfaces in various ways. At just before publication time, more than 4,700 of those URLs, pointing to a malicious Windows .exe file, remained active.” 

In April, Sophos discovered 9,500 malicious URLs on Discord's CDN. After a few months, the number had risen to 17,000 URLs. Sophos pointed out that Discord's "servers" are actually Google Cloud Elixir Erlang virtual machines with Cloudfare, and that they can be made "public" or "private" for a subscription, with keys to invite others to attend. 

According to the report, Discord's CDN is just Google Cloud Storage, which makes the information exchanged available on the internet. 

Discord: Easy Target
According to the report, “once files are uploaded to Discord, they can persist indefinitely unless reported or deleted.” 

Phishing messages and virus URLs may also be sent using Discord chat channels. Many Discord scams promise game "cheats," but instead send credential stealers of various kinds, as per Sophos. 

Sonatype discovered three malicious software packages in a prominent JavaScript code repository in January, including Discord token and credential stealers that allowed hackers to steal users' personal details. This isn't the first time a security concern has been brought to Discord's notice. Cisco's Talos released a report in April warning users that Discord and Slack were being frequently utilized to deploy RATs and data stealers. 

In February, Zscaler THreatLabZ reported that spam emails linked to the pandemic were spreading on Discord in an attempt to get users to download the XMRig cryptominer virus. PandaStealer, a data-stealing virus, was spreading through a spam operation on Discord by May. 

According to Sophos experts, Discord has responded positively to their findings and is actively trying to improve safety on the platform. However, as more businesses use Discord to provide services, Sophos advises that they should be mindful of the dangers that lie on the site. 

Sophos added, “With more organizations using Discord as a low-cost collaboration platform, the potential for harm posed by the loss of Discord credentials opens up additional threat vectors to organizations. Even if you don’t have a Discord user in your home or office, abuse of Discord by malware operators poses a threat.” On the Discord CDN, the team discovered old malware such as spyware and phoney app info stealers.

BGP Hijacking Attacks Google, Amazon and Other Famous Networks' Traffic!


As per reports, a telecommunication provider that is owned by Russia rerouted traffic which was intended for the most imminent Content Delivery Networks (CDNs) and cloud host providers of the globe.

The entire re-direction kept on for around an hour during which it affected over 8,500 traffic routes of the internet. The concerned organizations happen to be few of the most celebrated ones.

Per sources, the brands range across well-known names like Cloudflare, Digital Ocean, Linode, Google, Joyent, Facebook, LeaseWeb, Amazon, GoDaddy, and Hetzner.

Reportedly, all the signs of this attack indicate towards its being a case of hijacking the Border Gateway Protocol, also known as, BGP hijacking. It is the illegitimate takeover of IP prefixes by a hijacker to redirect traffic.

This gives a lot of power in the hands of the hijacker because they could at any time “publish an announcement” stating that the servers of a particular company are on their network. As a result of which all of e.g. Amazon’s traffic would end up on the hijacker’s servers.

In earlier times when Hypertext Transfer Protocol wasn’t as widely used to encrypt traffic, BGP hijacking was a lucrative way to carry Man-in-the-Middle (MitM) attacks and catch and modify traffic.

But in recent times, analysis and decryption of traffic later in time has become easier because of BGP hijacking, as the encryption gets weaker with time.

This predicament isn’t of a new kind. It has been troubling the cyber-world for a couple of decades, mainly because they aim at boosting the BGP’s security. Despite working on several projects there hasn’t been much advancement in improving the protocol to face them.

Google’s network has been a victim of BGP hijacking by a Nigerian entity before. Researchers mention that it is not necessary for a BGP hijacking to be malicious.

Reportedly, “mistyping the ASN” (Autonomous System Number) is one of the other main reasons behind a BGP hijacking, as it is the code via which internet units are recognized and ends up accidentally redirecting traffic.

Per sources, China Telecom stands among the top entities that have committed BGP hijacking, not so “accidentally”. Another famous one on a similar front is “Rostelecom”.

The last time Rostelecom seized a lot of attention was when the most gigantic of financial players were victimized by BGP hijacking including HSBC, Visa, and MasterCard to name a few.

The last time, BGPMon didn’t have much to say however this time, Russian Telecom is in a questionable state, per sources. They also mention that it is possible for the hijack to have occurred following the accidental exposure of the wrong BGP network by an internal Rostelecom traffic shaping system.

Things took a steep turn when reportedly, Rostelecom’s upstream providers re-publicized the freshly declared BGP routes all across the web aggravating the hijack massively.

Per researchers, it is quite a difficult task to say for sure if a BGP hijacking was intentional of accidental. All that could be said is that the parties involved in the hijack make the situation suspicious.