Continued from page 1.
3. Extract the gamer's authentication cookie When a ROBLOX user starts a new session with ROBLOX, the user is issued an authentication cookie. That cookie is only good for as long as the session is active. The malware is writtent to extract the authentication cookie. According to Hilt, once a hacker obtains a ROBLOX gamer's authentication cookie, the cookie can be used in a command line argument when starting the ROBLOX software to login from any system as the original gamer without the need to provide additional credentials. For this reason, the hacker must act fast once the malware has extracted the cookie and this is where Discord's Webhook API helped to speed the communication of that cookie back to the hackers. ROBLOX even recommends that you not give your authentication cookie away.
This is also where ROBLOX could install additional security controls to prevent this sort of attack. For example, it could do one or more of the following:
- Require two-factor authentication for a successful login instead of making it optional as ROBLOX does now (but via email which is not exactly the best backchannel for two-factor authentication). For example, text a secret code to the gamer's cell phone and require the gamer to enter that secret code into the ROBLOX user interface to complete the authentication. Unfortunately, given that many ROBLOX gamers are young kids, they may not have cell phones.
- Disable the ability to supply an authentication cookie to the ROBLOX executable
- Invalidate an authentication cookie if the ROBLOX network detects an attempt to login with while another active session using that cookie exists or when when a login attempt is made from a system that is sourced to a completely different Internet connection from the original gamer's system.
For example, if ROBLOX maintains a log of IP addresses that each gamer uses, then it could warn the user when a login that's "out of pattern" occurs. At that point, the second system could be challenged with two factor authentication.
4. Use the Discord Webhook API to transmit the surreptitiously obtained authentication cookie Once the malware exfiltrates an authentication cookie, the clock starts ticking. The cybercrooks have to put it to use before the original session from which it was extracted is closed by the end user (the gamer). In fact, the ROBLOX web site advises users to "Always Log Out of Your Account When You're Done Playing." While that advice is presented in the context of leaving a machine unattended, Hilt was clear that so long as a session is active, an authentication cookie that was exfiltrated during that session can be used as a login credential.
So, with the clock ticking, the malware then leverages the existing ROBLOX connection to Discord to transmit the authentication cookie back to the cybercriminals. Discord is the underlying communication network that ROBLOX gamers use to communicate with one another. Using Discord's Webhook API, the malware sets up a connection to the Discord service and trasmits the cookie to a Discord channel that's operated by the hackers.
In this context, the Discord API is being used for illegitimate purposes. But, it is still being used in a legitimate fashion. In other words, the hackers are not breaking into or bypassing the security of the Discord service. In so doing, the hackers are essentially escaping detection because the resulting traffic looks pretty much the same as any other traffic between the ROBLOX client and the Discord service. However, had the cybercrooks chosen some other backchannel over which to exfiltrate the authentication cookie, they might have been detected. This offers some idea of the cleverness and tenacity of cybercriminals who will stop at nothing to achieve an objective while doing a pretty good job of escaping detection and covering up their tracks at the same time.
It all started with Slack
According to Hilt, it all "started out with me looking into Slack and to see if cybercriminals could use Slack for C&C." While he didn't turn up any nefarious activity along the lines of the abuse found on the Discord and Telegram services, a proof-of-concept (PoC) was developed to prove that Slack could potentially be used for C&C purposes. The outcome, detailed in a report prepared by Trend Micro, proved among other things that it was possible with nothing more than an API key (in other words, OAuth credentials were not necessary) so long as it involved a user who was already an approved user of a Slack channel. The PoC however revealed that Slack was also "less than ideal" for C&C.
According to the report, "While there were no restrictions as to what type of file can be uploaded, the file size was capped at 1GB, with a total upload limit of 5GB. This makes data exfiltration through Slack less than ideal."
Despite the PoC however, Slack appears to have escaped abuse in the real world which leads to the next obvious question; What is Slack doing technologically or in the way of best practices that might be keeping cybercriminals away from its network (keeping in mind that just because Hilt found no intrusions doesn't mean it's not happening)? ProgrammableWeb made contact with Slack to learn more. But, due to the summer holiday schedule, the right people were unavailable for comment.
One important aspect of Slack is that channels have administrators that, to some extent, act as gatekeepers when it comes to what third party applications are allowed. A Slack administrator might allow the application for Uber because s/he trusts Uber as a brand to have taken whatever precautions are necessary to prevent its application and infrastructure from getting hijacked for nefarious purposes. In the ROBLOX/Discord situation, users are at the mercy of their own discretion. If they choose to download a mod that subsequently hijacks their ROBLOX installation, there's not much that anybody else can do about it until their anti-malware solution provider (like Trend Micro) updates the local software to address the new threat (as Trend Micro has already done).