QR codes provide a means of phishing Signal users: These features now work by scanning QR codes that contain the cryptographic information needed to exchange keys between different devices in a group or to authorize a new device to an account. The QR codes are actually representations of special links that the Signal application knows how to process via the sgnl:// URI protocol handler.Since attackers know that users might be used to scanning QR codes or clicking on buttons to join group chats, they have devised phishing pages to mimic the same experience but use it to link rogue devices to the victim’s account instead. Rogue device linking provides an easier way for attackers to access Signal messages than trying to remotely compromise an Android or iOS device which would likely require a rare and expensive root-level exploit.”One suspected Russian espionage cluster tracked as UNC5792 (which partially overlaps with CERT-UA’s UAC-0195) has altered legitimate ‘group invite’ pages, replacing the expected redirection to a Signal group with a redirection to a malicious URL crafted to link an actor-controlled device to the victim’s Signal account,” the Google researchers said.The phishing page masquerades as the official Signal website with a button called Join Group, but the JavaScript code behind the button redirects the browser window to a sgnl://linkdevice?uuid=[data] link that will be passed to the Signal app which is the registered protocol handler for sgnl:// URIs and will authorize the linking of a new device to the account.
Russian threat group targeting Ukrainian military personnel: Another Russian threat group that Google tracks as UNC4221 and Ukrainian CERT tracks as UAC-0185 is using a Signal phishing kit that mimics components of an artillery guidance application called Kropyva that was developed by the Ukrainian armed forces.This group is known for targeting Ukrainian military personnel and has used different tactics including Kropyva-themed phishing sites with QR codes supposedly to join Signal groups, phishing pages that mimicked security alerts from Signal itself, or using Signal group invites sent by trusted contacts that were compromised. All of these fake group invites performed rogue device linking instead.”Notably, as a core component of its Signal targeting, UNC4221 has also used a lightweight JavaScript payload tracked as PINPOINT to collect basic user information and geolocation data using the browser’s GeoLocation API,” the Google researchers said. “In general, we expect to see secure messages and location data to frequently feature as joint targets in future operations of this nature, particularly in the context of targeted surveillance operations or support to conventional military operations.”The researchers also noted efforts by Russian troops to link Signal accounts from devices captured on the battlefield to devices controlled by APT44, or Sandworm, a cyber team attributed to the Russian military intelligence service, the GRU. APT44 was also seen in the past deploying a Windows batch script dubbed WAVESIGN designed to collect and exfiltrate messages from the Signal Desktop app on compromised Windows computers.
Targeting desktop versions of Signal: Signal is primarily used as a mobile app and account creation requires a mobile phone number, even if since last year users can hide their phone numbers behind unique usernames to avoid having to share them with new contacts. But Signal also has a desktop version for Windows, macOS, and Linux as many users choose to use their computers as secondary devices linked to their accounts.Until recently, linking a Windows or macOS computer to a Signal account did not transfer the chat history to the new device, but would allow any future messages to be received on both the desktop and mobile devices, creating message histories on both. This made desktop computers a target for Signal message collection.In addition to APT44’s WAVESIGN script, the Google researchers noted Turla’s use of a PowerShell script to extract Signal Desktop messages. Turla is a cyberespionage team attributed to the Russian Federal Security Service, the FSB. A Belarus-linked threat actor tracked as UNC1151 was also observed using a command-line utility called Robocopy to exfiltrate Signal messages from Windows computers.The threat of such attacks is even greater now since Signal recently introduced the ability to synchronize chat history for the past 45 days between old and newly linked devices.”The operational emphasis on Signal from multiple threat actors in recent months serves as an important warning for the growing threat to secure messaging applications that is certain to intensify in the near-term future,” the Google researchers said.”When placed in a wider context with other trends in the threat landscape, such as the growing commercial spyware industry and the surge of mobile malware variants being leveraged in active conflict zones, there appears to be a clear and growing demand for offensive cyber capabilities that can be used to monitor the sensitive communications of individuals who rely on secure messaging applications to safeguard their online activity.”The Google report contains indicators of compromise for the observed campaigns as well as recommendations for users to protect their devices. Aside from installing security updates regularly and protecting their devices with long and complex passwords, users should regularly review the list of linked and authorized devices for their messaging apps and exercise caution when scanning QR codes shared under the guise of group invites or other required urgent actions.
First seen on csoonline.com
Jump to article: www.csoonline.com/article/3828182/russian-cyberespionage-groups-target-signal-users-with-fake-group-invites.html
