Google has issued a warning about new threats to the Signal messaging platform, with “multiple Russia-aligned threat actors actively targeting Signal Messenger.”
Signal is currently one of the most security messaging platforms on the planet, in use by the EU Commission, U.S. Senate, U.S. military units, journalists, activists, and other surveillance targets. The platform ensures communications are end-to-end encrypted, and offers text, voice, and video chats.
As a result of its popularity, and the security it provides, Google says Signal is increasingly coming under attack by Russia-aligned threat actors seeking to compromise the service. The company says the action is likely the result of Russia’s invasion of Ukraine, as Signal is used within Ukraine for secure communications.
Google Threat Intelligence Group (GTIG) has observed increasing efforts from several Russia state-aligned threat actors to compromise Signal Messenger accounts used by individuals of interest to Russia’s intelligence services. While this emerging operational interest has likely been sparked by wartime demands to gain access to sensitive government and military communications in the context of Russia’s re-invasion of Ukraine, we anticipate the tactics and methods used to target Signal will grow in prevalence in the near-term and proliferate to additional threat actors and regions outside the Ukrainian theater of war.
First Attack Vector
Google goes on to outline several attacks currently in use to compromise Signal messages, with the first being abuse of Signal’s “Linked Devices” feature.
The most novel and widely used technique underpinning Russian-aligned attempts to compromise Signal accounts is the abuse of the app’s legitimate “linked devices” feature that enables Signal to be used on multiple devices concurrently. Because linking an additional device typically requires scanning a quick-response (QR) code, threat actors have resorted to crafting malicious QR codes that, when scanned, will link a victim’s account to an actor-controlled Signal instance. If successful, future messages will be delivered synchronously to both the victim and the threat actor in real-time, providing a persistent means to eavesdrop on the victim’s secure conversations without the need for full-device compromise.
Notably, this device-linking concept of operations has proven to be a low-signature form of initial access due to the lack of centralized, technology-driven detections and defenses that can be used to monitor for account compromise via newly linked devices; when successful, there is a high risk that a compromise can go unnoticed for extended periods of time.
Second Attack Vector
The second attack vector involves modifying Signal group invites to send people to a malicious URL.
To compromise Signal accounts using the device-linking feature, one suspected Russian espionage cluster tracked as UNC5792 (which partially overlaps with CERT-UA’s UAC-0195) has altered legitimate “group invite” pages for delivery in phishing campaigns, replacing the expected redirection to a Signal group with a redirection to a malicious URL crafted to link an actor-controlled device to the victim’s Signal account.
Third Attack Vector
The third attack vector is highly specific to Ukrainian military units and targets a very specific application.
UNC4221 (tracked by CERT-UA as UAC-0185) is an additional Russia-linked threat actor who has actively targeted Signal accounts used by Ukrainian military personnel. The group operates a tailored Signal phishing kit designed to mimic components of the Kropyva application used by the Armed Forces of Ukraine for artillery guidance. Similar to the social engineering approach used by UNC5792, UNC4221 has also attempted to mask its device-linking functionality as an invite to a Signal group from a trusted contact.
While this attack is highly targeted, Google says this attack could be a template for future ones.
Notably, as a core component of its Signal targeting, UNC4221 has also used a lightweight JavaScript payload tracked as PINPOINT to collect basic user information and geolocation data using the browser’s GeoLocation API. In general, we expect to see secure messages and location data to frequently feature as joint targets in future operations of this nature, particularly in the context of targeted surveillance operations or support to conventional military operations.
Additional Attack Vectors
Google says there are multiple other types of attacks aimed at stealing Signal database files from both Android and Windows clients.
Beyond targeted efforts to link additional actor-controlled devices to victim Signal accounts, multiple known and established regional threat actors have also been observed operating capabilities designed to steal Signal database files from Android and Windows devices.
Conclusion
Google makes clear that these efforts to compromise Signal underscores both the importance of security communication, as well as the threats such communications continue to suffer.
The operational emphasis on Signal from multiple threat actors in recent months serves as an important warning for the growing threat to secure messaging applications that is certain to intensify in the near-term. When placed in a wider context with other trends in the threat landscape, such as the growing commercial spyware industry and the surge of mobile malware variants being leveraged in active conflict zones, there appears to be a clear and growing demand for offensive cyber capabilities that can be used to monitor the sensitive communications of individuals who rely on secure messaging applications to safeguard their online activity.
from WebProNews https://ift.tt/zbILYXg
No comments:
Post a Comment