CyberSecurity news

FlagThis - #signal

Pierluigi Paganini@Security Affairs //

Hacker Stole Data From Modified Signal Provider - TeleMessage, a modified Signal clone used by U.S. government officials, was hacked, exposing archived messages and data and highlighting security risks associated with modifying secure messaging platforms.
A hacker has successfully breached TeleMessage, an Israeli company that provides modified versions of secure messaging apps such as Signal, WhatsApp and Telegram to the U.S. government. The breach resulted in the exfiltration of sensitive data, including archived messages from these modified apps. TeleMessage has suspended all services and is currently investigating the incident. The breach highlights the vulnerabilities associated with modifying secure messaging applications, especially concerning the preservation of end-to-end encryption.

The compromised data includes the contents of direct messages and group chats, as well as contact information for government officials. 404 Media reported that the hack exposed data related to U.S. Customs and Border Protection (CBP), the cryptocurrency exchange Coinbase, and several other financial institutions. The hacker claimed the entire process of accessing TeleMessage’s systems took only 15-20 minutes, underscoring the ease with which the security was circumvented. Despite the breach, there are reports that messages from top US government officials and cabinet members were not compromised.

TeleMessage, which was recently in the spotlight after former U.S. National Security Advisor Mike Waltz was seen using their modified version of Signal, offers archiving services for messages. However, the hack revealed that the archived chat logs were not end-to-end encrypted between the modified app and the ultimate archive destination controlled by the TeleMessage customer. Smarsh, the parent company of TeleMessage, has engaged an external cybersecurity firm to support the investigation and has temporarily suspended all TeleMessage services as a precaution. A Coinbase spokesperson stated that the company is closely monitoring the situation, but has not found any evidence of sensitive customer information being accessed or accounts being at risk.

Recommended read:
References :
  • securityaffairs.com: SecurityAffairs: A hacker stole data from TeleMessage, the firm that sells modified versions of Signal to the U.S. gov
  • Talkback Resources: A hacker stole data from TeleMessage, the firm that sells modified versions of Signal to the U.S. gov [app]
  • www.techradar.com: TeleMessage, the Signal-esque app used by the Trump administration, has been hacked
  • www.metacurity.com: A hacker stole content from the Telemessage system used by the US government
  • TechCrunch: TeleMessage, a modified Signal clone used by US govt. officials, has been hacked
  • The DefendOps Diaries: TeleMessage Breach: Unveiling the Risks of Modified Secure Messaging Apps
  • techcrunch.com: TeleMessage, a modified Signal clone used by US government officials, has been hacked
  • Risky Business Media: Trump admin’s Signal clone gets hacked, messages exposed
  • The Register - Security: Signal chat app clone used by Signalgate's Waltz was apparently an insecure mess
  • siliconangle.com: The security of U.S. government officials’ communications has come under the spotlight again after a modified Signal app used to archive data from third-party messaging apps was hacked in less than 30 minutes.
  • WIRED: Signal Clone Used by Mike Waltz Pauses Service After Reports It Got Hacked
  • CyberInsider: Signal Clone App Used by Trump Officials Breached in Minutes
  • Metacurity: Criminal scam network run by Darcula exposed by journalists, DragonForce takes credit for Co-op attack, NoName attacked Romanian gov't websites on election day, US indicts Black Kingdom ransomware dev, Trump wants to slash nearly $500m from CISA, Qilin claims Cobb Co. attack, much more
  • arstechnica.com: TeleMessage, a company that provides modified versions of Signal for message archiving, has suspended its services after a reported hack, exposing communications from U.S. government officials.
  • hackread.com: TM SGNL, a chat app by US-Israeli firm TeleMessage used by Trump officials, halts operations after a breach…
  • www.404media.co: A hacker has exploited a vulnerability in TeleMessage, a company that provides modified versions of encrypted messaging apps, to extract archived messages and data related to U.S. government officials and companies that used the service, according to a report by 404 Media.
  • www.csoonline.com: The Israeli company behind the obscure messaging app former US national security advisor Mike Waltz was photographed using on his iPhone last week was recently hacked, it has been alleged.
  • Metacurity: You ask yourself how the Trump administration's insane messing around with the Signal app and its clones could get any worse, and then the universe tells you how. The Signal Clone the Trump Admin Uses Was Hacked
  • Dropsafe: US Gov’t Signal-clone with backdoor for message retention, hacked, messages leaked | …I really hope #Ofcom are watching re: the impact of proposed client side scanning
  • BleepingComputer: Unofficial Signal app used by Trump officials investigates hack
  • arstechnica.com: Signal clone used by Trump official stops operations after report it was hacked
  • securityaffairs.com: A hacker stole data from TeleMessage, the firm that sells modified versions of Signal to the U.S. gov
  • go.theregister.com: Signal chat app clone used by Signalgate's Waltz was apparently an insecure mess
  • : Israeli Encrypted Messaging Archiving Platform Used by U.S. Officials Compromised in Cyberattack
  • www.insicurezzadigitale.com: Clonazione di Signal: sospesa dopo hacking un’app utilizzata da un ex funzionario dell’amministrazione Trump
  • bsky.app: TeleMessage, the Signal clone used by US government officials, suffers hack
  • Privacy ? Graham Cluley: TeleMessage, the Signal clone used by US government officials, suffers hack
  • WIRED: The Signal clone Mike Waltz Was Caught Using Has Direct Access to User Chats
  • www.wired.com: Signal Clone Used by Mike Waltz Pauses Service After Reports It Got Hacked
  • WIRED: Customs and Border Protection Confirms Its Use of Hacked Signal Clone TeleMessage
  • Metacurity: TeleMessage suspends service following reported hack
do son@securityonline.info //

Cybercriminals Exploit Signal Messaging App - Cybercriminals are using the Signal app to spread a Remote Access Trojan (RAT) targeting high-value individuals in Ukraine's defense sector by sending malicious files from compromised accounts.
Cybercriminals are actively exploiting the Signal messaging application to distribute an information-stealing Remote Access Trojan (RAT), raising serious privacy concerns. According to a recently published report, a cybercriminal group identified as UNC-200 is behind the campaign, which involves targeting high-value individuals within Ukraine's defense sector. The Computer Emergency Response Team of Ukraine (CERT-UA) has issued warnings about this campaign, which utilizes the Dark Crystal RAT (aka DCRat) to compromise systems.

This malicious activity involves distributing messages via Signal that contain what appears to be meeting minutes. These messages are sent from compromised accounts to enhance credibility, enticing unsuspecting users to download malicious archive files. The archives contain a decoy PDF and an executable that deploys the DCRat malware, giving attackers remote access and control, stealing valuable information and executing arbitrary commands. CERT-UA attributes this activity to UAC-0200, active since summer 2024, who noted that the use of popular messengers increases the attack surface, including due to the creation of uncontrolled information exchange channels.

Recommended read:
References :
  • cyberinsider.com: Ukraine Warns Signal Used for Spreading RATs on High-Value Targets
  • securityonline.info: CERT-UA Alert: DarkCrystal RAT Deployed via Signal in Ukraine
  • SOC Prime Blog: Detect UAC-0200 Attacks Using DarkCrystal RAT
  • The DefendOps Diaries: Russian Cyber Espionage Targets Ukrainian Military via Signal
  • BleepingComputer: Ukrainian military targeted in new Signal spear-phishing attacks
  • BleepingComputer: Ukraine's Computer Emergency Response Team (CERT-UA) is warning about highly targeted attacks employing compromised Signal accounts to send malware to employees of defense industry firms and members of the country's army forces.
  • securityaffairs.com: CERT-UA warns of cyber espionage against the Ukrainian defense industry using Dark Crystal RAT
  • The Hacker News: CERT-UA Warns: Dark Crystal RAT Targets Ukrainian Defense via Malicious Signal Messages
  • BleepingComputer: Ukraine's Computer Emergency Response Team (CERT-UA) is warning about highly targeted attacks employing compromised Signal accounts to send malware to employees of defense industry firms and members of the country's army forces.
  • Sam Bent: Report: Cybercriminals Leverage Signal App to Deploy Info-Stealing RAT, Raising Privacy Concerns
  • bsky.app: CERT-UA warns of cyber espionage against the Ukrainian defense industry using Dark Crystal RAT
  • www.scworld.com: Attackers, tracked under the UAC-0200 threat cluster, leveraged the Signal messaging app to deliver messages purportedly containing minutes of the meeting reports as archive files.
Pierluigi Paganini@securityaffairs.com //

Russian Hackers Exploit Signal 'Linked Devices' for Spying - Russian state-sponsored hackers are exploiting Signal Messenger's "Linked Devices" feature for cyber-espionage, targeting military personnel, politicians, and activists using phishing tactics to compromise accounts; Google's Threat Intelligence Group (GTIG) uncovered these campaigns.
Russian state-aligned hackers are exploiting the "Linked Devices" feature in Signal Messenger to conduct cyber-espionage campaigns. Google's Threat Intelligence Group (GTIG) has uncovered these campaigns, revealing that the hackers are using phishing tactics to gain unauthorized access to Signal accounts. These campaigns involve tricking users into linking their devices to systems controlled by the attackers.

Russian threat actors are launching phishing campaigns that exploit the legitimate "Linked Devices" feature in the Signal messaging app to gain unauthorized access to accounts of interest. The hackers employ sophisticated methods to trick targets into linking their Signal account to a device controlled by the attacker, compromising their secure communications.

Recommended read:
References :
  • cyberinsider.com: Russian Hackers Exploit Signal’s Linked Devices to Spy on Users
  • BleepingComputer: Russian threat actors have been launching phishing campaigns that exploit the legitimate "Linked Devices" feature in the Signal messaging app to gain unauthorized access to accounts of interest.
  • www.bleepingcomputer.com: Russian threat actors have been launching phishing campaigns that exploit the legitimate "Linked Devices" feature in the Signal messaging app to gain unauthorized access to accounts of interest.
  • CyberInsider: Google's Threat Intelligence Group (GTIG) has uncovered a series of cyber-espionage campaigns by Russian state-aligned hackers targeting Signal Messenger accounts.
  • securebulletin.com: Russia-Aligned actors intensify targeting of Signal Messenger
  • securityaffairs.com: Russia-linked threat actors exploit Signal messenger
  • Talkback Resources: Russian Groups Target Signal Messenger in Spy Campaign [app] [social]
  • cloud.google.com: Russian Threat Actors targeting Signal messenger accounts used by individuals of interest to Russia's intelligence services. The goal seems to be espionage or military reconnaissance in context of war in Ukraine.
  • bsky.app: Russian Threat Actors targeting Signal messenger accounts used by individuals of interest to Russia's intelligence services. The goal seems to be espionage or military reconnaissance in context of war in Ukraine. https://cloud.google.com/blog/topics/threat-intelligence/russia-targeting-signal-messenger
  • cyble.com: Russia-Linked Actors Exploiting Signal Messenger’s “Linked Devicesâ€� Feature for Espionage in Ukraine
  • Talkback Resources: State-aligned threat actors, particularly from Russia, are targeting Signal Messenger accounts through phishing campaigns to access sensitive government and military communications, exploiting the app's "linked devices" feature for eavesdropping on secure conversations.
  • cyberscoop.com: Russian-aligned threat groups dupe Ukrainian targets via Signal
  • Talkback Resources: Signals of Trouble: Multiple Russia-Aligned Threat Actors Actively Targeting Signal Messenger [social]
  • Threats | CyberScoop: Russia-aligned threat groups dupe Ukrainian targets via Signal
  • www.onfocus.com: Google Threats on Signals of Trouble
  • cyberriskleaders.com: Russian Hackers Targeting Ukrainian Signal Users with Malicious QR Codes
  • arstechnica.com: Russia-aligned hackers are targeting Signal users with device-linking QR codes Swapping QR codes in group invites and artillery targeting are latest ploys.
  • MeatMutts: Google Warns of Russian Hacking Campaign Targeting Ukraine’s Military on Signal
  • Talkback Resources: Hackers Exploit Signal's Linked Devices Feature to Hijack Accounts via Malicious QR Codes
  • thecyberexpress.com: Russian state-sponsored hackers are ramping up efforts to compromise Signal messenger accounts, particularly those used by Ukrainian military personnel, government officials, and other key figures.
@cyberinsider.com //

X Blocks Signal Links Due to Security Concerns - X (formerly Twitter) is blocking links to Signal.me, a domain used by the encrypted messaging platform Signal, due to security concerns.
Social media platform X (formerly Twitter) has begun blocking links to Signal.me, a domain used by the encrypted messaging platform Signal. This restriction applies across public posts, direct messages, and even user bios. Users attempting to share a Signal.me link are encountering error messages, suggesting the platform is flagging these links as potentially malicious or spam.

X is reportedly blocking links to secure Signal contact pages. According to reports and tests conducted, users are seeing error messages citing spam or malware risks when attempting to post Signal.me links. The error message reads: "This request looks like it might be automated. To protect our users from spam and other malicious activity, we can't complete this action right now. Please try again later."

Recommended read:
References :
  • Ars OpenForum: X is reportedly blocking links to secure Signal contact pages.
  • cyberinsider.com: Social media platform X (formerly Twitter) has begun blocking links to Signal.me, a domain used by the encrypted messaging platform Signal to facilitate direct user contact.
  • BleepingComputer: Social network X (formerly Twitter) is blocking links to Signal.me, a URL used by the encrypted messaging app Signal to share your account info with another person.
  • www.bleepingcomputer.com: X (formerly Twitter) has begun blocking links to Signal.me, a domain used by the encrypted messaging platform Signal to facilitate direct user contact. The restriction applies to public posts, direct messages, and even user bios, triggering various error messages when users attempt to share a Signal.me link.
  • CyberInsider: CyberInsider article about X blocking links to Signal.me.
  • readwrite.com: ReadWrite article stating that Elon Musk's X social media platform appears to be blocking links to Signal, the secure message service portal.
  • The Verge: The Verge article explaining that X is blocking links to Signal.

Posts

Blogs

Research Tools