Post Mortem: NEAR Discord Security Incident

This is a post mortem report regarding the recent security incident that occurred on the NEAR Discord server.  The purpose of this report is to provide analysis of the incident, identify the root cause, outline the impact, and propose actions to potentially limit similar incidents in the future.

Summary: On Wednesday, May 17th, the NEAR Discord server experienced a security incident.  This resulted in unauthorized access to a singular moderator account. The incident occurred due to a successful spear-phishing attempt on one of our server’s moderators. The attacker used their access to promote a fraudulent airdrop campaign, with the intent to deceive users and drain their wallets. 

Root Cause Analysis: The investigation revealed the following root causes:

1. Successful spear-phishing: One of the NEAR Discord moderators was targeted by a phishing campaign, leading to the theft of their Discord credentials. 
2. Lack of Two-Factor Authentication (2FA): The absence of 2FA for user accounts provided an opportunity for attackers to gain unauthorized access. 

Impact: The security incident had the following impacts:

1. Unauthorized Access: The attacker gained unauthorized access to our Discord server. 
2. Removal of Moderators: The attacker used their access to ban existing moderators that tried to intervene. 
3. Content Deletion: Unauthorized deletion of two Discord channels.
4. Disruption of Services: During the incident investigation and subsequent remediation, there was a temporary disruption in server availability and functionality. Invite links were invalidated during the process and are being rebuilt. 

Actions Taken: In response to the security incident, we have taken the following actions:

1. Incident Response and Investigation: Immediately upon detection, our security team initiated an incident response plan. They conducted a thorough investigation to determine the extent of the incidents and identify the source of the entry point.
   • Timeline of events: 
     1. At 7:47 PM UTC, a malicious webhook was installed by a compromised Discord Moderator account.
     2. At 10:47 PM UTC, the attacker — using the compromised moderator account — began posting in Discord. From there, other Discord members attempting to mitigate the attack were subsequently banned.
     3. The attacker used their access to promote a fraudulent airdrop campaign, with the intent to deceive users and drain their wallets.
     4. 10:57 PM UTC, The Pagoda Security team was notified. 
     5. Triage began and we identified the problem account and began resetting permission immediately. 
     6. 11:13 PM UTC, all attackers had been removed and all threats neutralized. 
2. User Notification and Password Reset: Affected users have been notified about the incident, and a mandatory password reset has been implemented to ensure the security of their accounts. 
3. Required 2FA for Moderators: Moderators are now required to use 2FA in the NEAR Discord. 

Preventive Measures: To prevent similar incidents, the following actions will be taken: measures:

1. Regular Security Audits: Implement regular security audits of our Discord server to identify and address vulnerabilities promptly.
2. Ongoing Monitoring and Incident Response Improvement: Enhance our monitoring capabilities to detect any suspicious activities and continually improve our incident response procedures.
3. Security Education and Awareness: Continue to educate our team on the importance of strong passwords, multi-factor authentication, and general security best practices. 

Conclusion: The security incident on the NEAR Discord server served as a crucial reminder of the significance of having robust security measures in place. Prompt action to minimize the impact was taken and the team have since implemented preventive measures to avoid similar incidents moving forward.  Ensuring the security and privacy of our users and their data continues to be our utmost priority.