Researchers Uncover Wiretapping of XMPP-Based Instant Messaging Service
28.10.23 Hacking The Hacker News
New findings have shed light on what's said to be a lawful attempt to covertly intercept traffic originating from jabber[.]ru (aka xmpp[.]ru), an XMPP-based instant messaging service, via servers hosted on Hetzner and Linode (a subsidiary of Akamai) in Germany.
"The attacker has issued several new TLS certificates using Let's Encrypt service which were used to hijack encrypted STARTTLS connections on port 5222 using transparent [man-in-the-middle] proxy," a security researcher who goes by the alias ValdikSS said earlier this week.
"The attack was discovered due to the expiration of one of the MiTM certificates, which haven't been reissued."
Evidence gathered so far points to the traffic redirection being configured on the hosting provider network, ruling out other possibilities, such as a server breach or a spoofing attack.
The wiretapping is estimated to have lasted for as long as six months, from April 18 through to October 19, although it's been confirmed to have taken place since at least July 21, 2023, and until October 19, 2023.
Signs of suspicious activity were first detected on October 16, 2023, when one of the UNIX administrators of the service received a "Certificate has expired" message upon connecting to it.
The threat actor is believed to have stopped the activity after the investigation into the MiTM incident began on October 18, 2023. It's not immediately clear who is behind the attack, but it's suspected to be a case of lawful interception based on a German police request.
Another hypothesis, however unlikely but not impossible, is that the MiTM attack is an intrusion on the internal networks of both Hetzner and Linode, specifically singling out jabber[.]ru.
"Given the nature of the interception, the attackers have been able to execute any action as if it is executed from the authorized account, without knowing the account password," the researcher said.
"This means that the attacker could download the account's roster, lifetime unencrypted server-side message history, send new messages or alter them in real time."
The Hacker News has reached out to Akamai and Hetzner for further comment, and we will update the story if we hear back.
Users of the service are recommended to assume that their communications over the past 90 days are compromised, as well as "check their accounts for new unauthorized OMEMO and PGP keys in their PEP storage, and change passwords."