In late 2019, several Russian entrepreneurs contacted Group-IB's cybercrime investigation department after they encountered unauthorized access to their Telegram messaging. The incidents occurred on iOS and Android devices. Android, regardless of which federal mobile operator the victim was a client of.
The attack began with the fact that the user received a message from the Telegram service channel (this is the official channel of the messenger with a blue verification checkmark) in the Telegram messenger with a confirmation code that the user did not request. After that, an SMS with an activation code fell on the victim’s smartphone, and almost immediately a notification came to the Telegram service channel that the account had been logged in from a new device.
In all cases known to Group-IB, the attackers logged into someone else's account via the mobile Internet (probably using disposable SIM cards), and in most cases the attackers' IP address was in Samara.
Access on request
A study by the Group-IB Computer Forensics Laboratory, where the electronic devices of the victims were transferred, showed that the equipment was not infected with spyware or a banking Trojan, accounts were not hacked, and no SIM card was replaced. In all cases, the attackers gained access to the victim's messenger using SMS codes received when logging into the account from a new device.
This procedure is as follows: when activating the messenger on a new device, Telegram sends a code through the service channel to all user devices, and then (on request) an SMS message is sent to the phone. Knowing this, the attackers themselves initiate a request for the messenger to send an SMS with an activation code, intercept this SMS and use the received code for successful authorization in the messenger.
Thus, attackers get illegal access to all current chats, except for secret ones, as well as to the history of correspondence in these chats, including files and photos that were sent to them. Having discovered this, a legitimate Telegram user can forcibly end the attacker's session. Thanks to the implemented protection mechanism, the reverse cannot happen, an attacker cannot terminate older sessions of a real user within 24 hours. Therefore, it is important to detect an extraneous session in time and end it so as not to lose access to your account. Group-IB specialists sent a notification to the Telegram team about their investigation of the situation.
The investigation of the incidents is ongoing, and at the moment it is not exactly established which scheme was used to bypass the CMC factor. At various times, researchers have given examples of SMS interception using attacks on the SS7 or Diameter protocols used in mobile networks. Theoretically, such attacks can be implemented with the illegal use of special technical means or insiders in mobile operators. In particular, there are fresh announcements on hacker forums on the Darknet with offers to hack various instant messengers, including Telegram.
“Specialists in different countries, including Russia, have repeatedly stated that social networks, mobile banking and instant messengers can be hacked using a vulnerability in the SS7 protocol, but these were isolated cases of targeted attacks or experimental studies,” comments Sergey Lupanin , Head of the Group-IB Cybercrime Investigation Department, - In a series of new incidents, of which there are already more than 10, it is obvious that the attackers want to put this way of making money on stream. In order to prevent this from happening, it is necessary to increase your own level of digital hygiene: at least use two-factor authentication wherever possible, and add a mandatory second factor to SMS, which is functionally embedded in the same Telegram.”
How to protect yourself?
1. Telegram has already implemented all the necessary cybersecurity options that will reduce the efforts of attackers to nothing.
2. On iOS devices and Android For Telegram, go to Telegram settings, select the "Privacy" tab, and set "Cloud password/Two-step verification." Detailed instructions on how to enable this option are available on the messenger's official website: (https://telegram.org/blog/sessions-and-2-step-verification)
3. It is important not to set an e-mail address to recover this password, since, as a rule, e-mail password recovery also occurs via SMS. Similarly, you can increase the protection of your WhatsApp account.
Source: habr.com
