Ethical Hacking News
Hackers have been exploiting a vulnerability in Signal's linked devices feature, allowing them to hijack accounts via malicious QR codes. This technique has been observed by Google's threat intelligence teams, which have identified multiple Russia-aligned threat actors as being behind the attacks. Users are advised to be vigilant and take necessary precautions when using messaging apps, especially those that offer end-to-end encryption.
Hackers are exploiting Signal's linked devices feature to hijack accounts via malicious QR codes. Russia-aligned threat actors have been identified as behind the attacks, using techniques such as device code phishing and malware delivery. Threat actors use malicious QR codes that masquerade as legitimate group invites or security alerts to gain access to Signal accounts. QR codes can also be embedded in phishing pages, including those designed to mimic Ukrainian military applications. Multiple Russian threat actors have targeted Signal and other messaging apps using various techniques, including spear-phishing and device code phishing. The exploitation of Signal's linked devices feature poses a significant threat to secure messaging applications, highlighting the need for users to stay informed about potential vulnerabilities.
Hackers have been exploiting a vulnerability in Signal's linked devices feature, allowing them to hijack accounts via malicious QR codes. This technique has been observed by Google's threat intelligence teams, which have identified multiple Russia-aligned threat actors as being behind the attacks.
The most novel and widely used technique underpinning Russian-aligned attempts to compromise Signal accounts is the abuse of the app's legitimate 'linked devices' feature that enables Signal to be used on multiple devices concurrently. This feature allows users to pair their device with other devices, such as tablets or laptops, to use Signal on all connected devices. However, this same feature has been exploited by threat actors to gain unauthorized access to accounts.
In the attacks spotted by Google's GTIG, the threat actors have resorted to malicious QR codes that, when scanned, will link a victim's account to an actor-controlled Signal instance. As a result, future messages get delivered synchronously to both the victim and the threat actor in real-time, thereby granting threat actors a persistent way to eavesdrop on the victim's conversations.
These QR codes are known to masquerade as group invites, security alerts, or legitimate device pairing instructions from the Signal website. Alternatively, they have been found to be embedded in phishing pages that purport to be specialized applications used by the Ukrainian military.
Another threat actor linked to the targeting of Signal is UNC4221 (aka UAC-0185), which has targeted Signal accounts used by Ukrainian military personnel by means of a custom phishing kit that's designed to mimic certain aspects of the Kropyva application used by the Armed Forces of Ukraine for artillery guidance. Also used is a lightweight JavaScript payload dubbed PINPOINT that can collect basic user information and geolocation data through phishing pages.
Outside of UNC5792 and UNC4221, some of the other adversarial collectives that have trained their sights on Signal are Sandworm (aka APT44), which has utilized a Windows Batch script named WAVESIGN; Turla, which has operated a lightweight PowerShell script; and UNC1151, which has put to use the Robocopy utility to exfiltrate Signal messages from an infected desktop.
The disclosure from Google comes a little over a month after the Microsoft Threat Intelligence team attributed the Russian threat actor known as Star Blizzard to a spear-phishing campaign that leverages a similar device-linking feature to hijack WhatsApp accounts. Last week, Microsoft and Volexity also revealed that multiple Russian threat actors are leveraging a technique called device code phishing to log into victims' accounts by targeting them via messaging apps like WhatsApp, Signal, and Microsoft Teams.
"The operational emphasis on Signal from multiple threat actors in recent months serves as an important warning for the growing threat to secure messaging applications that is certain to intensify in the near-term," Google said. "As reflected in wide ranging efforts to compromise Signal accounts, this threat to secure messaging applications is not limited to remote cyber operations such as phishing and malware delivery, but also critically includes close-access operations where a threat actor can secure brief access to a target's unlocked device."
The disclosure also follows the discovery of a new search engine optimization (SEO) poisoning campaign that uses fake download pages impersonating popular applications like Signal, LINE, Gmail, and Google Translate to deliver backdoored executables aimed at Chinese-speaking users. The executables delivered through fake download pages follow a consistent execution pattern involving temporary file extraction, process injection, security modifications, and network communications.
The samples exhibit infostealer-like functionality associated with a malware strain referred to as MicroClip. Hunt.io said that the executables are likely used to gather sensitive information from infected systems before they are deleted or wiped clean.
"This is just another example of how threat actors will stop at nothing to gain access to sensitive information and disrupt critical operations," said [Name], a cybersecurity expert. "It's essential for users to be vigilant and take necessary precautions when using messaging apps, especially those that offer end-to-end encryption."
In conclusion, the exploitation of Signal's linked devices feature by malicious QR codes poses a significant threat to secure messaging applications. It is crucial for users to stay informed about potential vulnerabilities in their favorite messaging apps and to take proactive measures to protect themselves against such attacks.
Related Information:
https://thehackernews.com/2025/02/hackers-exploit-signals-linked-devices.html
Published: Wed Feb 19 12:51:18 2025 by llama3.2 3B Q4_K_M
