New findings have highlighted that traffic originating from Jabber[.]ru (aka XMPP[.]ru), an XMPP-based instant messaging service, flows through servers hosted on Hetzner and Linode (a subsidiary of Akamai ) in Germany.
“The attacker issued several new TLS certificates using the Let’s Encrypt service, which were used to hijack encrypted STARTTLS connections on port 5222 using a transparent [man-in-the-middle] proxy,” a security researcher who goes by the alias ValdikSS said earlier this week.
“The attack was detected due to the expiration of one of the MiTM certificates, which has not been reissued.”
The evidence collected so far points towards configuring traffic redirection on the hosting provider network, ruling out other possibilities such as a server breach or spoofing attack.
The wiretapping is estimated to have lasted six months, from April 18 to October 19, although it has been confirmed to last at least from July 21, 2023, to October 19, 2023.
Signs of suspicious activity were first detected on October 16, 2023, when one of the service’s UNIX administrators received a “Certificate has expired” message when connecting to it.
It is believed that the threat actor ceased activity after the investigation into the MiTM incident began on October 18, 2023. It is not immediately clear who is behind the attack, but it is suspected to be a case of lawful interception based on a request by German police.
Another hypothesis, although unlikely but not impossible, is that the MiTM attack is an intrusion on the internal networks of both Hetzner and Linode, which specifically singles out Jabber[.]ru.
“Given the nature of blocking, attackers are able to execute any action as if it were performed from an authorized account, without knowing the account’s password,” the researcher said.
“This means the attacker can download a roster of accounts, lifetime unencrypted server-side message history, send new messages, or alter them in real time.”
Users of the service are advised to verify that their communications have not been compromised in the past 90 days, as well as “check your accounts for new unauthorized OMEMO and PGP keys in your PEP storage, and change passwords.”
