Notice: Function _load_textdomain_just_in_time was called incorrectly. Translation loading for the penci-text-to-speech domain was triggered too early. This is usually an indicator for some code in the plugin or theme running too early. Translations should be loaded at the init action or later. Please see Debugging in WordPress for more information. (This message was added in version 6.7.0.) in /home/revifuxl/hacksbyte.com/wp-includes/functions.php on line 6114

Notice: Function _load_textdomain_just_in_time was called incorrectly. Translation loading for the penci-bookmark-follow domain was triggered too early. This is usually an indicator for some code in the plugin or theme running too early. Translations should be loaded at the init action or later. Please see Debugging in WordPress for more information. (This message was added in version 6.7.0.) in /home/revifuxl/hacksbyte.com/wp-includes/functions.php on line 6114

Notice: Function _load_textdomain_just_in_time was called incorrectly. Translation loading for the soledad domain was triggered too early. This is usually an indicator for some code in the plugin or theme running too early. Translations should be loaded at the init action or later. Please see Debugging in WordPress for more information. (This message was added in version 6.7.0.) in /home/revifuxl/hacksbyte.com/wp-includes/functions.php on line 6114

Notice: Function _load_textdomain_just_in_time was called incorrectly. Translation loading for the penci-paywall domain was triggered too early. This is usually an indicator for some code in the plugin or theme running too early. Translations should be loaded at the init action or later. Please see Debugging in WordPress for more information. (This message was added in version 6.7.0.) in /home/revifuxl/hacksbyte.com/wp-includes/functions.php on line 6114

Notice: Function _load_textdomain_just_in_time was called incorrectly. Translation loading for the penci-frontend-submission domain was triggered too early. This is usually an indicator for some code in the plugin or theme running too early. Translations should be loaded at the init action or later. Please see Debugging in WordPress for more information. (This message was added in version 6.7.0.) in /home/revifuxl/hacksbyte.com/wp-includes/functions.php on line 6114
Researchers reveal Wiretapping of XMPP-based instant messaging service – HacksByte

Researchers reveal Wiretapping of XMPP-based instant messaging service

New findings have highlighted that traffic originating from Jabber[.]ru (aka XMPP[.]ru), an XMPP-based instant messaging .....

by Vikash Kumawat
0 comments 219 views

New findings have highlighted that traffic originating from Jabber[.]ru (aka XMPP[.]ru), an XMPP-based instant messaging service, flows through servers hosted on Hetzner and Linode (a subsidiary of Akamai ) in Germany.

“The attacker issued several new TLS certificates using the Let’s Encrypt service, which were used to hijack encrypted STARTTLS connections on port 5222 using a transparent [man-in-the-middle] proxy,” a security researcher who goes by the alias ValdikSS said earlier this week.

“The attack was detected due to the expiration of one of the MiTM certificates, which has not been reissued.”

The evidence collected so far points towards configuring traffic redirection on the hosting provider network, ruling out other possibilities such as a server breach or spoofing attack.

The wiretapping is estimated to have lasted six months, from April 18 to October 19, although it has been confirmed to last at least from July 21, 2023, to October 19, 2023.

Signs of suspicious activity were first detected on October 16, 2023, when one of the service’s UNIX administrators received a “Certificate has expired” message when connecting to it.

It is believed that the threat actor ceased activity after the investigation into the MiTM incident began on October 18, 2023. It is not immediately clear who is behind the attack, but it is suspected to be a case of lawful interception based on a request by German police.

Another hypothesis, although unlikely but not impossible, is that the MiTM attack is an intrusion on the internal networks of both Hetzner and Linode, which specifically singles out Jabber[.]ru.

“Given the nature of blocking, attackers are able to execute any action as if it were performed from an authorized account, without knowing the account’s password,” the researcher said.

“This means the attacker can download a roster of accounts, lifetime unencrypted server-side message history, send new messages, or alter them in real time.”

Users of the service are advised to verify that their communications have not been compromised in the past 90 days, as well as “check your accounts for new unauthorized OMEMO and PGP keys in your PEP storage, and change passwords.”

You may also like

Leave a Comment

Are you sure want to unlock this post?
Unlock left : 0
Are you sure want to cancel subscription?

This website uses cookies to improve your experience. We'll assume you're ok with this, but you can opt-out if you wish. Accept Read More

-
00:00
00:00
Update Required Flash plugin
-
00:00
00:00