CyberSecurity news

FlagThis - #signal

do son@securityonline.info //
Cybercriminals are actively exploiting the Signal messaging application to distribute an information-stealing Remote Access Trojan (RAT), raising serious privacy concerns. According to a recently published report, a cybercriminal group identified as UNC-200 is behind the campaign, which involves targeting high-value individuals within Ukraine's defense sector. The Computer Emergency Response Team of Ukraine (CERT-UA) has issued warnings about this campaign, which utilizes the Dark Crystal RAT (aka DCRat) to compromise systems.

This malicious activity involves distributing messages via Signal that contain what appears to be meeting minutes. These messages are sent from compromised accounts to enhance credibility, enticing unsuspecting users to download malicious archive files. The archives contain a decoy PDF and an executable that deploys the DCRat malware, giving attackers remote access and control, stealing valuable information and executing arbitrary commands. CERT-UA attributes this activity to UAC-0200, active since summer 2024, who noted that the use of popular messengers increases the attack surface, including due to the creation of uncontrolled information exchange channels.

Share: bluesky twitterx--v2 facebook--v1 threads


References :
  • cyberinsider.com: Ukraine Warns Signal Used for Spreading RATs on High-Value Targets
  • securityonline.info: CERT-UA Alert: DarkCrystal RAT Deployed via Signal in Ukraine
  • SOC Prime Blog: Detect UAC-0200 Attacks Using DarkCrystal RAT
  • The DefendOps Diaries: Russian Cyber Espionage Targets Ukrainian Military via Signal
  • BleepingComputer: Ukrainian military targeted in new Signal spear-phishing attacks
  • BleepingComputer: Ukraine's Computer Emergency Response Team (CERT-UA) is warning about highly targeted attacks employing compromised Signal accounts to send malware to employees of defense industry firms and members of the country's army forces.
  • securityaffairs.com: CERT-UA warns of cyber espionage against the Ukrainian defense industry using Dark Crystal RAT
  • The Hacker News: CERT-UA Warns: Dark Crystal RAT Targets Ukrainian Defense via Malicious Signal Messages
  • BleepingComputer: Ukraine's Computer Emergency Response Team (CERT-UA) is warning about highly targeted attacks employing compromised Signal accounts to send malware to employees of defense industry firms and members of the country's army forces.
  • Sam Bent: Report: Cybercriminals Leverage Signal App to Deploy Info-Stealing RAT, Raising Privacy Concerns
  • bsky.app: CERT-UA warns of cyber espionage against the Ukrainian defense industry using Dark Crystal RAT
  • www.scworld.com: Attackers, tracked under the UAC-0200 threat cluster, leveraged the Signal messaging app to deliver messages purportedly containing minutes of the meeting reports as archive files.
Classification:
Pierluigi Paganini@securityaffairs.com //
Russian state-aligned hackers are exploiting the "Linked Devices" feature in Signal Messenger to conduct cyber-espionage campaigns. Google's Threat Intelligence Group (GTIG) has uncovered these campaigns, revealing that the hackers are using phishing tactics to gain unauthorized access to Signal accounts. These campaigns involve tricking users into linking their devices to systems controlled by the attackers.

Russian threat actors are launching phishing campaigns that exploit the legitimate "Linked Devices" feature in the Signal messaging app to gain unauthorized access to accounts of interest. The hackers employ sophisticated methods to trick targets into linking their Signal account to a device controlled by the attacker, compromising their secure communications.

Share: bluesky twitterx--v2 facebook--v1 threads


References :
  • cyberinsider.com: Russian Hackers Exploit Signal’s Linked Devices to Spy on Users
  • BleepingComputer: Russian threat actors have been launching phishing campaigns that exploit the legitimate "Linked Devices" feature in the Signal messaging app to gain unauthorized access to accounts of interest.
  • www.bleepingcomputer.com: Russian threat actors have been launching phishing campaigns that exploit the legitimate "Linked Devices" feature in the Signal messaging app to gain unauthorized access to accounts of interest.
  • CyberInsider: Google's Threat Intelligence Group (GTIG) has uncovered a series of cyber-espionage campaigns by Russian state-aligned hackers targeting Signal Messenger accounts.
  • securebulletin.com: Russia-Aligned actors intensify targeting of Signal Messenger
  • securityaffairs.com: Russia-linked threat actors exploit Signal messenger
  • Talkback Resources: Russian Groups Target Signal Messenger in Spy Campaign [app] [social]
  • cloud.google.com: Russian Threat Actors targeting Signal messenger accounts used by individuals of interest to Russia's intelligence services. The goal seems to be espionage or military reconnaissance in context of war in Ukraine.
  • bsky.app: Russian Threat Actors targeting Signal messenger accounts used by individuals of interest to Russia's intelligence services. The goal seems to be espionage or military reconnaissance in context of war in Ukraine. https://cloud.google.com/blog/topics/threat-intelligence/russia-targeting-signal-messenger
  • cyble.com: Russia-Linked Actors Exploiting Signal Messenger’s “Linked Devicesâ€� Feature for Espionage in Ukraine
  • Talkback Resources: State-aligned threat actors, particularly from Russia, are targeting Signal Messenger accounts through phishing campaigns to access sensitive government and military communications, exploiting the app's "linked devices" feature for eavesdropping on secure conversations.
  • cyberscoop.com: Russian-aligned threat groups dupe Ukrainian targets via Signal
  • Talkback Resources: Signals of Trouble: Multiple Russia-Aligned Threat Actors Actively Targeting Signal Messenger [social]
  • Threats | CyberScoop: Russia-aligned threat groups dupe Ukrainian targets via Signal
  • www.onfocus.com: Google Threats on Signals of Trouble
  • cyberriskleaders.com: Russian Hackers Targeting Ukrainian Signal Users with Malicious QR Codes
  • arstechnica.com: Russia-aligned hackers are targeting Signal users with device-linking QR codes Swapping QR codes in group invites and artillery targeting are latest ploys.
  • MeatMutts: Google Warns of Russian Hacking Campaign Targeting Ukraine’s Military on Signal
  • Talkback Resources: Hackers Exploit Signal's Linked Devices Feature to Hijack Accounts via Malicious QR Codes
  • thecyberexpress.com: Russian state-sponsored hackers are ramping up efforts to compromise Signal messenger accounts, particularly those used by Ukrainian military personnel, government officials, and other key figures.
Classification:
  • HashTags: #SignalMessenger #CyberEspionage #RussianHackers
  • Company: Google
  • Target: Signal Users
  • Attacker: Russian APT
  • Product: Signal
  • Feature: Linked Devices
  • Malware: Linked Signal Devices
  • Type: Espionage
  • Severity: Major
@cyberinsider.com //
Social media platform X (formerly Twitter) has begun blocking links to Signal.me, a domain used by the encrypted messaging platform Signal. This restriction applies across public posts, direct messages, and even user bios. Users attempting to share a Signal.me link are encountering error messages, suggesting the platform is flagging these links as potentially malicious or spam.

X is reportedly blocking links to secure Signal contact pages. According to reports and tests conducted, users are seeing error messages citing spam or malware risks when attempting to post Signal.me links. The error message reads: "This request looks like it might be automated. To protect our users from spam and other malicious activity, we can't complete this action right now. Please try again later."

Share: bluesky twitterx--v2 facebook--v1 threads


References :
  • Ars OpenForum: X is reportedly blocking links to secure Signal contact pages.
  • cyberinsider.com: Social media platform X (formerly Twitter) has begun blocking links to Signal.me, a domain used by the encrypted messaging platform Signal to facilitate direct user contact.
  • BleepingComputer: Social network X (formerly Twitter) is blocking links to Signal.me, a URL used by the encrypted messaging app Signal to share your account info with another person.
  • www.bleepingcomputer.com: X (formerly Twitter) has begun blocking links to Signal.me, a domain used by the encrypted messaging platform Signal to facilitate direct user contact. The restriction applies to public posts, direct messages, and even user bios, triggering various error messages when users attempt to share a Signal.me link.
  • CyberInsider: CyberInsider article about X blocking links to Signal.me.
  • readwrite.com: ReadWrite article stating that Elon Musk's X social media platform appears to be blocking links to Signal, the secure message service portal.
  • The Verge: The Verge article explaining that X is blocking links to Signal.
Classification:
  • HashTags: #Signal #EncryptedMessaging #SecurityConcerns
  • Company: Signal
  • Target: Signal Users
  • Product: Encrypted Messaging
  • Feature: Messaging Links
  • Malware: Signal.me
  • Type: Hack
  • Severity: Medium