Recent discoveries have provided insights into an alleged legal endeavor to clandestinely intercept communication traffic emanating from jabber[.]ru (also known as xmpp[.]ru), an instant messaging service based on the XMPP protocol. This interception is believed to be facilitated through servers housed on Hetzner and Linode (a subsidiary of Akamai) located in Germany.
Earlier this week, a security researcher known as ValdikSS reported that the assailant utilized the Let’s Encrypt service to generate many new Transport Layer Security (TLS) certificates. These certificates were subsequently employed to hijack encrypted STARTTLS connections on port 5222 by means of a transparent man-in-the-middle proxy.
The detection of the attack was prompted by the expiration of one of the Man-in-the-Middle (MiTM) credentials, which have not been renewed.
Based on the already available evidence, it can be inferred that the traffic redirection has been implemented through the configuration of the hosting provider network. This conclusion eliminates alternative explanations, such as a breach of the server or a spoofing assault.
The duration of the wiretapping is believed to have spanned around six months, commencing on April 18 and concluding on October 19. However, it has been verified that the wiretapping occurred at least from July 21, 2023, until October 19, 2023.
The initial indication of potentially illicit behavior was observed on October 16, 2023, when one of the system administrators for the UNIX service encountered a notification stating that the certificate had reached its expiration date upon establishing a connection.
It is postulated that the threat actor ceased their operations subsequent to the commencement of the inquiry into the Man-in-the-Middle (MiTM) incident on October 18, 2023. The identity of the perpetrator(s) responsible for the attack remains uncertain at present; however, preliminary indications suggest that it may be attributed to a valid interception scenario prompted by a request from the German police.
An alternative hypothesis, while with a low probability yet not entirely implausible, posits that the Man-in-the-Middle (MiTM) attack represents an incursion into the internal networks of Hetzner and Linode, with a particular focus on jabber[.]ru.
According to the researcher, due to the manner in which the interception occurred, the attackers have been allowed to carry out actions with the same level of authorization as the legitimate account holder, without possessing knowledge of the account password.
Consequently, the perpetrator possesses the capability to get the account’s roster, access the unencrypted server-side message history spanning the whole duration of the account, as well as send new messages or modify existing ones in real-time.
News4Hackers has initiated contact with Akamai and Hetzner in order to obtain additional comments. We will provide an update to the article if we receive a response from them.
It is advisable for users of the service to operate under the assumption that their communications within the last 90-day period have been hacked. Additionally, it is recommended that users inspect their accounts for any newly added unauthorized OMEMO and PGP keys in their PEP storage, and proceed to modify their passwords accordingly.
About The Author:
Yogesh Naager is a content marketer who specializes in the cybersecurity and B2B space. Besides writing for the News4Hackers blog, he’s also written for brands including CollegeDunia, Utsav Fashion, and NASSCOM. Naager entered the field of content in an unusual way. He began his career as an insurance sales executive, where he developed an interest in simplifying difficult concepts. He also combines this interest with a love of narrative, which makes him a good writer in the cybersecurity field. In the bottom line, he frequently writes for Craw Security.
READ MORE ARTICLE HERE