One Article Review
| Source |  Cyble |
|---|---|
| Identifiant | 8649243 |
| Date de publication | 2025-02-20 13:21:16 (vue: 2025-02-20 14:08:08) |
| Titre | Russia-Linked Actors Exploiting Signal Messenger\\'s “Linked Devices” Feature for Espionage in Ukraine (Recyclage) |
| Texte | 
Overview
Google Threat Intelligence Group (GTIG) has identified multiple Russia-aligned threat actors actively targeting Signal Messenger accounts as part of a multi-year cyber espionage operation. The campaign, likely driven by Russia\'s intelligence-gathering objectives during its invasion of Ukraine, aims to compromise the secure communications of military personnel, politicians, journalists, and activists.
The tactics observed in this campaign include phishing attacks abusing Signal\'s linked devices feature, malicious JavaScript payloads and malware designed to steal Signal messages from compromised Android and Windows devices. While the focus remains on Ukrainian targets, the threat is expected to expand globally as adversaries refine their techniques.
Google has partnered with Signal to introduce security enhancements that mitigate these attack vectors, urging users to update to the latest versions of the app.
Tactics Used to Compromise Signal Accounts
Exploiting Signal\'s "Linked Devices" Feature
Russia-aligned threat actors have manipulated Signal\'s legitimate linked devices functionality to gain persistent access to victim accounts. By tricking users into scanning malicious QR codes, attackers can link an actor-controlled device to the victim\'s account, enabling real-time message interception without full device compromise.
The phishing methods used to deliver these malicious QR codes include:
Fake Signal group invites containing altered JavaScript redirects.
Phishing pages masquerading as Ukrainian military applications.
|
| Notes | ★★ |
| Envoyé | Oui |
| Condensat | $resfile $zipfile $zipfile /s 0185 0195 1024x512 107 133 138 150 158 175 194:18000 45 249 2fa 300x150 47 155 47 87 8wkmzwam about abusing access account accounts accounts actively activists activity actor actors add addresses adopt adopting adversaries adversary against aim aims alerts aligned allows also altered altering android any app appdata applications apps apps apt44 apt44: archive are army artillery assist attack attacker attackers attacks attacks attributed audit authentication avoid based bat batch battlefield becoming been before belarus benefits best biometric blizzard build building built but called campaign campaigns can capable caption= captured center cert challenge characters chisel clicking cluster code codes codes collaboration collects com/blog/topics/threat com/fake com/wp command: common communications complex components compresses compromise compromised com com signal conclusion conference config confirm connections constantly contacts containing content/uploads/2025/02/signal controlled copy countering countries country create critical custom cyber cyberattacks cyberspace data database defensehttps://thecyberexpress defenses deliver designed desktops destination destinationpath detected: detection device devices devices” disguised document domain domains doredirect driven during e078778b62796bab2d7ab2b04d6b01bf a97a28276e4f88134561d938f60db495 b27ff24870d93d651ee1d8e06276fa98 ecosystem effective efforts employ enable enabling enhancements erase escalation espionage evade evolving exchanging exe executes exfiltrate exfiltrating exfiltration exfiltration expand expected experience expertise explained exploiting exploits extract factor fake feature feature file= file=c: files focus following force frameworks from fsb full function functionality gain gathering genuine geolocation getelementbyid global globally google gov group groups growing gtig guidance hardware has hashes have head high hosting host host teneta href https://cloud https://cyble identified identified: compress identify image implement incidents include include: includes: includes: including including: indicators information infrastructure install instance instead intelligence intelligence/russia interception introduce invasion invites invites iocs ios iphone item its javascript journalists json jtueod key key= keys kits kits known kropyva large later latest leading legitimate leveraged leveraging lightweight likely link linked linking links local location lock lockdown log login logs long malicious malware malware manipulated many masquerading measures measures: medium message messages messaging messenger messengerhttps://cert methods military mimic mitigate mitigation mixed mode modern mode modifications multi multiple munich must nationshttps://cip navigate new not now nqyg nul c: number objectives observed oleksandr one online only operation organizations other overlaps overview page pages pages part partnered partners passwords passwords patches path payload payloads persistent personnel phishing physical pinpoint platforms politicians post potential potii powershell practices pragma prevent prevention priority proactive professionals programdata protect protecting public query quickly rclog rclone real receive recent recover recursively redirect redirects reduces references: refine regularly relationships remain remains remote remove replace represents rerouted responding response risk roaming robocopy robust russia russian safeguard said sandworm scan scanning screen script scripts search seashell secure security sensitive server sgnl://linkdevice share shared should signa signal significant site site signal site teneta sources specifically spoofed sqlcipher ssscip stage steal storage strategies strategies strengthen strong surface surveillance suspicious symbols system tactics t |
| Tags | Malware Tool Vulnerability Threat Mobile Cloud Conference |
| Stories | APT 44 |
| Move | 
|
Les reprises de l'article (1):
| Source |  Mandiant |
|---|---|
| Identifiant | 8648980 |
| Date de publication | 2025-02-19 14:00:00 (vue: 2025-02-19 12:07:48) |
| Titre | Signals of Trouble: Multiple Russia-Aligned Threat Actors Actively Targeting Signal Messenger |
| Texte | Written by: Dan Black
Google Threat Intelligence Group (GTIG) has observed increasing efforts from several Russia state-aligned threat actors to compromise Signal Messenger accounts used by individuals of interest to Russia\'s intelligence services. While this emerging operational interest has likely been sparked by wartime demands to gain access to sensitive government and military communications in the context of Russia\'s re-invasion of Ukraine, we anticipate the tactics and methods used to target Signal will grow in prevalence in the near-term and proliferate to additional threat actors and regions outside the Ukrainian theater of war. Signal\'s popularity among common targets of surveillance and espionage activity-such as military personnel, politicians, journalists, activists, and other at-risk communities-has positioned the secure messaging application as a high-value target for adversaries seeking to intercept sensitive information that could fulfil a range of different intelligence requirements. More broadly, this threat also extends to other popular messaging applications such as WhatsApp and Telegram, which are also being actively targeted by Russian-aligned threat groups using similar techniques. In anticipation of a wider adoption of similar tradecraft by other threat actors, we are issuing a public warning regarding the tactics and methods used to date to help build public awareness and help communities better safeguard themselves from similar threats. We are grateful to the team at Signal for their close partnership in investigating this activity. The latest Signal releases on Android and iOS contain hardened features designed to help protect against similar phishing campaigns in the future. Update to the latest version to enable these features. Phishing Campaigns Abusing Signal\'s "Linked Devices" Feature The most novel and widely used technique underpinning Russian-aligned attempts to compromise Signal accounts is the abuse of the app\'s legitimate "linked devices" feature that enables Signal to be used on multiple devices concurrently. Because linking an additional device typically requires scanning a quick-response (QR) code, threat actors have resorted to crafting malicious QR codes that, when scanned, will link a victim\'s account to an actor-controlled Signal instance. If successful, future messages will be delivered synchronously to both the victim and the threat actor in real-time, providing a persistent means to eavesdrop on the victim\'s secure conversations without the need for full-device compromise. |
| Notes | ★★ |
| Envoyé | Oui |
| Condensat | $computername $dfsroot $env:computername $env:temp $env:tmp $file1 $frand $resfile $rroot $temppath $treslocal $zipfile //redirect=encodeuricomponent 0185 0195 10000 107 150 194:18000 2022 2023 2fg 2fzcckkkrkwis0osyelf4j1v8dkn 8wkmzwam ;detach ;select |
| Tags | Malware Threat Mobile Cloud Commercial |
| Stories | APT 44 |
| Move |
|
L'article ne semble pas avoir été repris sur un précédent.