Source: www.infosecurity-magazine.com – Author:
Russian state-aligned threat actors are ramping up efforts to spy on Ukrainian military and government officials via their secure messaging applications, including Signal Messenger and WhatsApp, Google revealed today.
One of the main ways these groups are targeting Signal Messenger is to abuse the “linked devices” feature which enables the app to be used on multiple devices at the same time.
“Because linking an additional device typically requires scanning a QR code, threat actors have resorted to crafting malicious QR codes that, when scanned, will link a victim’s account to an actor-controlled Signal instance,” Google explained.
“If successful, future messages will be delivered synchronously to both the victim and the threat actor in real-time, providing a persistent means to eavesdrop on the victim’s secure conversations without the need for full-device compromise.”
Read more on encrypted messaging apps: Signal Disputes Alleged Zero-Day Flaw
These QR codes are often disguised as Signal group invites or legitimate device-pairing instructions from the Signal website. On other occasions they are embedded in phishing pages designed to spoof specialized apps used by the victims, such as the Kropyva application used by Ukrainian soldiers for artillery guidance, the report continued.
Russian soldiers have also been conscripted to “link Signal accounts on devices captured on the battlefield back to actor-controlled infrastructure for follow-on exploitation,” Google claimed.
It’s not just Signal that has been targeted in this way. The analysis also cites a Microsoft report into efforts by the Star Blizzard (UNC4057) group to compromise WhatsApp accounts by abusing the linked devices feature.
Google warned that the threat to secure messaging applications would “intensify” in the near future.
“When placed in a wider context with other trends in the threat landscape, such as the growing commercial spyware industry and the surge of mobile malware variants being leveraged in active conflict zones, there appears to be a clear and growing demand for offensive cyber capabilities that can be used to monitor the sensitive communications of individuals who rely on secure messaging applications to safeguard their online activity,” it concluded.
How to Lock Down Devices
Google urged high risk targets to:
- Enable screen lock on all mobile devices using a long, complex password with a mix of uppercase and lowercase letters, numbers and symbols
- Install OS updates without delay and always use the latest version of Signal and other messaging apps
- Ensure Google Play Protect is enabled, to check apps and devices for harmful behavior and issue warnings or block apps known to exhibit malicious behavior
- Audit linked devices regularly for unauthorized devices by navigating to the “Linked devices” section in the app’s settings
- Be cautious when interacting with QR codes and web resources purporting to be software updates, group invites or other notifications
- Use two-factor authentication such as fingerprint, facial recognition, a security key or a one-time code to verify when an account is logged into or linked to a new device
- Enable Lockdown Mode (on iOS devices)
Image credit: Ink Drop / Shutterstock.com
Original Post URL: https://www.infosecurity-magazine.com/news/russian-hackers-signal-spy/
Category & Tags: –
Views: 2
