At the heart of the attacks are widely-used social media platforms that contain exploitable app vulnerabilities and not-so-secure communication automation features
Cyber researchers have recently outline how threat actors have been increasingly exploiting Signal Messenger’s built-in “linked device” feature to tricking military and government personnel into scanning malicious QR codes often disguised as group invites, security alerts, and even military applications.
Once a malicious QR code is scanned, the victims may end up having their Signal account silently linked a threat-actor controlled instance, allowing the threat actor to eavesdrop on the victims’ secure conversations in real-time; all without fully compromising the device.
Three techniques are being used in the cyber warfare between Russian and Ukraine threat actors:
- Remote phishing: Malicious resources masked as security alerts, as well as legitimate Signal group invites are sent out to entrap victims. The phishing resources redirect recipients to a malicious site and pair their Signal messages to a bad-actor-controlled device.
- Tailored phishing: Threat actors use phishing kits tailored to target specialized quarries, such as one mimicking components of the military applications used by armed forces personnel
- Exploitation of battlefield-captured devices: The group APT44 (also known as Sandworm) has been implicated in helping threat actors to use linked Signal accounts from devices captured on the battlefield back to actor-controlled infrastructure for follow-on exploitation.
According to Dan Black, Principal Analyst, Google Threat Intelligence Group, the researchers disclosing their findings, the attack campaign is an example of the abuse of tools that the public are increasingly relying on for secure and private communications. It is “highly likely that these tactics will proliferate outside of Ukraine and see more global use in the near-term future,” Black opined.
In response to these findings, the people running the Signal app have pushed updates to their Android and iOS versions available at official app marketplaces to patch the vulnerabilities. Signal users should update to the latest version of the app on their mobile devices.
