Discord will switch to temporary file links for all users by the end of the year to block attackers from using its CDN (content delivery network) for hosting and pushing malware.
"Discord is evolving its approach to attachment CDN URLs in order to create a safer and more secure experience for users. In particular, this will help our safety team restrict access to flagged content, and generally reduce the amount of malware distributed using our CDN," Discord told BleepingComputer.
"There is no impact for Discord users that share content within the Discord client. Any links within the client will be auto refreshed. If users are using Discord to host files, we'd recommend they find a more suitable service.
"Discord developers may see minimal impact and we’re working closely with the community on the transition. These changes will roll out later this year and we’ll share more info with developers in the coming weeks."
After the file hosting change (described by Discord as authentication enforcement) rolls out later this year, all links to files uploaded to Discord servers will expire after 24 hours.
CDN URLs will come with three new parameters that will add expiration timestamps and unique signatures that will remain valid until the links expire, preventing the use of Discord's CDN for permanent file hosting.
While these parameters are already being added to Discord links, they still need to be enforced, and links shared outside Discord servers will only expire once the company rolls out its authentication enforcement changes.
"To improve security of Discord's CDN, attachment CDN URLs have 3 new URL parameters: ex, is, and hm. Once authentication enforcement begins later this year, links with a given signature (hm) will remain valid until the expiration timestamp (ex)," the Discord development team explained in a post shared on the Discord Developers server.
"To access the attachment CDN link after the link expires, your app will need to fetch a new CDN URL. The API will automatically return valid, non-expired URLs when you access resources that contain an attachment CDN URL, like when retrieving a message."
A giant leap forward in the battle against malware
This is a much-anticipated move toward the ongoing challenges Discord faces in curbing cybercrime activities across its platform, seeing that its servers have long served as breeding grounds for malicious activities associated with financially motivated and state-backed hacking groups.
Discord's permanent file hosting capabilities have frequently been misused to distribute malware and exfiltrate data gathered from compromised systems using webhooks.
Despite the escalating scale of this issue in recent years, Discord has so far struggled to implement effective measures to deter cybercriminals' abuse of its platform and decisively address the problem or, at the very least, limit its impact.
According to a recent report by cybersecurity company Trellix, Discord CDN URLs have been exploited by at least 10,000 malware operations to drop second-stage malicious payloads on infected systems.
These payloads primarily consist of malware loaders and scripts that install malware, such as RedLine stealer, Vidar, AgentTesla, zgRAT, and Raccoon stealer.
According to Trellix's data, various malware families, including Agent Tesla, UmbralStealer, Stealerium, and zgRAT, have also used Discord webhooks over the past few years to steal sensitive information like credentials, browser cookies, and cryptocurrency wallets from compromised devices.
Comments
GT500 - 6 months ago
I wrote a longer message explaining why this isn't going to help, and it was eaten by a server error, so I'm not typing all of that back out again...
Basically, all a malware distributor has to do is figure out a way to automate getting Discord to generate a new download URL and then send that to wherever their distribution scripts pull the latest URL from. I also made a sarcastic comment about it being possible to use Twitter for that since it only costs $1 per year (it's not like that hasn't been done before). I also said that worst case scenario was that malware devs would have to manually click on the download in Discord every time the URL expired to generate a new one, and paste it into wherever their distribution scripts pulled the latest URL from. This change is a minor inconvenience at most.
The only thing I can think of that would actually work would be for Discord to restrict downloads to only being possible through the Discord client, and only if the user has already joined the server and channel that the file was uploaded to before they clicked the download link. I doubt anything short of that would have any real impact on malware distribution via Discord's CDN.