CyberBakery Chronicles

Your Weekly Cybersecurity Update (28 Feb 2025)

• Russian Threat Actors Target Signal Messenger Accounts

• Australian Fertility Services Giant Genea Suffers Data Breach

• Australia Bans Kaspersky Products on Government Systems Over Security Concerns

• PayPal "New Address" Feature Abused in Widespread Phishing Scam

• Apple Disables iCloud End-to-End Encryption in UK Following Government Demand

Russian Threat Actors Target Signal Messenger Accounts

Google's Threat Intelligence Group (GTIG) has observed a surge in efforts by multiple Russian state-aligned threat actors to compromise Signal Messenger accounts, particularly those belonging to individuals of interest to Russian intelligence services.

These groups are exploiting Signal's "linked devices" feature by using malicious QR codes to link victim accounts to attacker-controlled devices, allowing them to eavesdrop on secure conversations in real-time. This tactic has proven effective due to its low-signature nature, making it difficult to detect.

GTIG has identified several threat actors involved in these campaigns, including:

• UNC5792: This group modifies legitimate Signal group invite pages to redirect victims to malicious URLs that link their accounts to attacker devices.

• UNC4221: This group operates a tailored Signal phishing kit that mimics applications used by the Ukrainian military, embedding malicious QR codes or redirecting victims to fake device-linking instructions.

• APT44 (Sandworm): This group has been observed using malware and scripts to steal Signal database files from compromised Android and Windows devices.

• Turla: This Russian threat actor uses PowerShell scripts to exfiltrate Signal Desktop messages.

• UNC1151: This Belarus-linked group uses command-line utilities to stage Signal Desktop files for exfiltration.

The targeting of Signal, along with other messaging apps like WhatsApp and Telegram, highlights a growing trend of state-sponsored actors seeking to intercept secure communications. GTIG recommends users take several precautions, including:

• Enabling strong screen locks on mobile devices.

• Keeping operating systems and messaging apps updated.

• Regularly auditing linked devices.

• Exercising caution with QR codes and suspicious links.

• Using two-factor authentication.

This increased activity underscores the importance of heightened security awareness and proactive measures to protect against these sophisticated attacks.

Australian Fertility Services Giant Genea Suffers Data Breach

Genea, a major Australian fertility services provider, has confirmed a security breach after detecting unauthorized access to its network.

The company is currently investigating the extent of the data breach and working to restore affected systems.

Genea has stated that it will notify individuals if their personal information has been compromised. The breach comes days after a phone and app outage at Genea's clinics, raising questions about the timeline of the cyber incident.

The company has apologized for any concern caused and reassured patients that they are working to minimize disruptions to treatment schedules. Genea is a significant player in the Australian fertility services market, operating 22 clinics across the country.

Australia Bans Kaspersky Products on Government Systems Over Security Concerns

The Australian government has banned all Kaspersky Lab products and web services from its systems, citing an "unacceptable security risk" due to potential foreign interference, espionage, and sabotage.

The decision, made by the Department of Home Affairs, requires all non-corporate Commonwealth entities to identify, remove, and prevent the future installation of Kaspersky products.

While an exemption exists for national security or regulatory purposes, the ban signals a strong policy stance against the use of Kaspersky software.

Kaspersky has refuted the allegations, claiming the ban is politically motivated and lacks technical justification. The company argues that the decision was made without due process or engagement, highlighting the growing trend of Western governments restricting the use of Kaspersky products due to national security concerns.

PayPal "New Address" Feature Abused in Widespread Phishing Scam

A widespread phishing scam is exploiting PayPal's "new address" feature to send fraudulent purchase notifications to users, tricking them into granting remote access to scammers.

The scam involves adding a fake address to a PayPal account, along with a fabricated purchase confirmation message, which triggers a legitimate PayPal email notification to the account holder.

The email, sent directly from PayPal, includes a fake purchase confirmation for a high-value item, such as a MacBook, and instructs the recipient to call a provided phone number if the purchase was unauthorized.

When victims call the number, scammers pose as PayPal support and convince them to download remote access software, such as ConnectWise ScreenConnect, allowing the scammers to take control of their computers.

The scammers then attempt to steal money, deploy malware, or steal sensitive data.

This scam is made possible by PayPal's lack of character limits in address form fields, allowing scammers to inject their fraudulent messages. PayPal needs to implement character limits to prevent this abuse. Users are advised to ignore these emails and verify any account changes directly through the PayPal website.

Apple Disables iCloud End-to-End Encryption in UK Following Government Demand

Apple has removed its Advanced Data Protection (ADP) feature, which provides end-to-end encryption for iCloud data, for new users in the United Kingdom.

This decision follows a secret order from the UK government demanding Apple create a backdoor to access encrypted user data.

Apple expressed disappointment with the situation, emphasizing the importance of end-to-end encryption in protecting user privacy, particularly in the face of increasing data breaches.

While existing ADP users in the UK will initially retain the feature, they will eventually be required to disable it to continue using their iCloud accounts.

Apple maintains its commitment to user privacy and hopes to offer enhanced security features in the UK in the future. iMessage, FaceTime, Health data, and iCloud Keychain remain end-to-end encrypted in the UK.