Ethical Hacking News
Researchers have discovered that Russian state-aligned groups are targeting Signal users via device-linking phishing campaigns, exploiting the legitimate "Linked Devices" feature in the app to gain unauthorized access to accounts. To protect yourself from these attacks, make sure you update your Signal application and follow best practices for password management, QR code interaction, and security settings.
Russian state-aligned groups have been exploiting the "Linked Devices" feature in Signal to gain unauthorized access to accounts. The device-linking phishing technique involves creating malicious QR codes to trick targets into linking their Signal account to a controlled device. This method is adaptable, with threat actors disguising malicious code as legitimate app resources or device pairing instructions. GTIG researchers have observed this tactic used by the Sandworm group and UAC-0195 in suspected Russian espionage activities. Signal users are advised to update to the latest version of the application, use strong passwords, regularly check linked devices, exercise caution with QR codes, and enable two-factor authentication.
In recent months, researchers have been warning about the growing threat of sophisticated phishing campaigns targeting users of the popular messaging app, Signal. According to a report by Google Threat Intelligence Group (GTIG), Russian state-aligned groups have been exploiting the legitimate "Linked Devices" feature in the Signal app to gain unauthorized access to accounts of interest.
This device-linking phishing technique is a novel and widely used method employed by threat actors to trick targets into linking their Signal account to a device controlled by the attacker. The attackers leverage this feature by creating malicious QR codes and deceiving potential victims into scanning them to allow Signal messages to synchronize with the attacker's device.
GTIG researchers observed that this method is being adapted by the type of target, making it an adaptable and increasingly sophisticated threat tactic. In broader campaigns, the attacker would disguise the malicious code as a legitimate app resource or as device pairing instructions from the legitimate Signal website. For targeted attacks, the threat actor would add the malicious QR codes to phishing pages designed to be of interest to the potential victim.
Additionally, GTIG noticed that the infamous Russian hacker group Sandworm (Seashell Blizzard/APT44) used this method to access Signal accounts on devices captured on the battlefield by deployed military forces. Another tactic observed in suspected Russian espionage activity is altering a legitimate group invite page to redirect to a malicious URL that connects the target's Signal account to a device controlled by the attacker.
This method was seen with an activity cluster tracked internally as UNC5792, which has similarities with an actor that Ukraine's Computer Emergency Response Team (CERT-UA) refers to as UAC-0195, whose activity has been linked to attempts to compromise WhatsApp accounts. The researchers have underscored that this device-linking compromise is difficult to spot and protect against because there is no technical solution to monitor for the threat of newly linked devices.
When successful, there is a high risk that a compromise can go unnoticed for extended periods of time, making it a particularly insidious tactic employed by Russian state-aligned groups. GTIG advises Signal users to update to the latest version of the application, which includes improved protections against phishing attacks.
Additional recommendations include activating the screen lock on mobile devices with a long and complex password, regularly checking the list of linked devices, exercising caution when interacting with QR codes, and enabling two-factor authentication. By taking these precautions, Signal users can significantly reduce their risk of falling victim to this sophisticated phishing campaign.
Related Information:
https://www.bleepingcomputer.com/news/security/russian-phishing-campaigns-exploit-signals-device-linking-feature/
Published: Wed Feb 19 06:13:23 2025 by llama3.2 3B Q4_K_M
