Article Information
Introduction to the Threat
Multiple Russian-aligned threat actors have been observed targeting individuals of interest via the privacy-focused messaging app Signal in order to gain unauthorized access to their accounts. The primary method used by these actors involves the exploitation of Signal’s legitimate ‘linked devices’ feature.
Method of Attack
"The most novel and widely used technique underpinning Russian-aligned attempts to compromise Signal accounts is the abuse of the app’s legitimate ‘linked devices’ feature that enables Signal to be used on multiple devices concurrently," the Google Threat Intelligence Group (GTIG) said in a report. In these attacks, threat actors, including one tracked as UNC5792, utilize malicious QR codes. When scanned, these codes link a victim’s account to an actor-controlled Signal instance, allowing threat actors to synchronously receive future messages in real-time, effectively eavesdropping on the victim’s conversations.
Actors Involved
Google mentioned that UAC-0195 partially overlaps with a hacking group known as UAC-0195. These malicious QR codes disguise themselves as group invites, security alerts, or legitimate device pairing instructions from the Signal website, or are embedded in phishing pages purporting to be specialized applications used by the Ukrainian military.
Techniques Used
Another threat actor, UNC4221 (also known as UAC-0185), targets Signal accounts used by Ukrainian military personnel through a custom phishing kit designed to mimic aspects of the Kropyva application used for artillery guidance. A lightweight JavaScript payload named PINPOINT is also used to collect user information and geolocation data through phishing pages.
Other Threat Actors
Other adversarial collectives targeting Signal include Sandworm (APT44), which uses a Windows Batch script named WAVESIGN; Turla, operating a lightweight PowerShell script; and UNC1151, utilizing the Robocopy utility to exfiltrate Signal messages from infected desktops.
Protective Measures
Signal has released updates for Android and iOS with hardened features to secure users against such phishing efforts. Users are advised to update to the latest version to enable these features.
Context and Wider Implications
The disclosure from Google comes after the Microsoft Threat Intelligence team attributed the Russian threat actor Star Blizzard to a spear-phishing campaign leveraging a similar device-linking feature to hijack WhatsApp accounts. Recently, Microsoft and Volexity revealed that multiple Russian threat actors use device code phishing to log into victims’ accounts by targeting them via messaging apps like WhatsApp, Signal, and Microsoft Teams.
Conclusion
"The operational emphasis on Signal from multiple threat actors in recent months serves as an important warning for the growing threat to secure messaging applications that is certain to intensify in the near-term," Google said. This threat includes not only remote cyber operations like phishing and malware delivery but also close-access operations where a threat actor briefly accesses a target’s unlocked device.
Related Threats
The disclosure follows the discovery of a new SEO poisoning campaign using fake download pages impersonating popular applications like Signal, LINE, Gmail, and Google Translate to deliver backdoored executables aimed at Chinese-speaking users. These executables exhibit infostealer-like functionality associated with the MicroClip malware strain.
Call to Action
Found this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.
Source Link
