Article Details
Scrape Timestamp (UTC): 2023-10-28 07:24:40.524
Source: https://thehackernews.com/2023/10/researchers-uncover-wiretapping-of-xmpp.html
Original Article Text
Click to Toggle View
Researchers Uncover Wiretapping of XMPP-Based Instant Messaging Service. New findings have shed light on what's said to be a lawful attempt to covertly intercept traffic originating from jabber[.]ru (aka xmpp[.]ru), an XMPP-based instant messaging service, via servers hosted on Hetzner and Linode (a subsidiary of Akamai) in Germany. "The attacker has issued several new TLS certificates using Let's Encrypt service which were used to hijack encrypted STARTTLS connections on port 5222 using transparent [man-in-the-middle] proxy," a security researcher who goes by the alias ValdikSS said earlier this week. "The attack was discovered due to the expiration of one of the MiTM certificates, which haven't been reissued." Evidence gathered so far points to the traffic redirection being configured on the hosting provider network, ruling out other possibilities, such as a server breach or a spoofing attack. The wiretapping is estimated to have lasted for as long as six months, from April 18 through to October 19, although it's been confirmed to have taken place since at least July 21, 2023, and until October 19, 2023. Signs of suspicious activity were first detected on October 16, 2023, when one of the UNIX administrators of the service received a "Certificate has expired" message upon connecting to it. The threat actor is believed to have stopped the activity after the investigation into the MiTM incident began on October 18, 2023. It's not immediately clear who is behind the attack, but it's suspected to be a case of lawful interception based on a German police request. Another hypothesis, however unlikely but not impossible, is that the MiTM attack is an intrusion on the internal networks of both Hetzner and Linode, specifically singling out jabber[.]ru. "Given the nature of the interception, the attackers have been able to execute any action as if it is executed from the authorized account, without knowing the account password," the researcher said. "This means that the attacker could download the account's roster, lifetime unencrypted server-side message history, send new messages or alter them in real time." The Hacker News has reached out to Akamai and Hetzner for further comment, and we will update the story if we hear back. Users of the service are recommended to assume that their communications over the past 90 days are compromised, as well as "check their accounts for new unauthorized OMEMO and PGP keys in their PEP storage, and change passwords."
Daily Brief Summary
A lawful attempt was made to covertly wiretap traffic from XMPP-based instant messaging service jabber[.]ru. The attackers used servers hosted on Hetzner and Linode in Germany.
The attacker issued new TLS certificates through Let's Encrypt service to hijack encrypted STARTTLS connections. The presence of man-in-the-middle (MiTM) attack was detected due to the expiration of one of the MiTM certificates.
Based on evidence collected, it is believed that the traffic redirection was setup on the hosting provider's network, thereby eliminating the likelihoods of a server breach or spoofing attack.
The wiretapping activity lasted roughly six months, from April 18 to October 19. The activity was first deemed suspicious on October 16 when a UNIX administrator received an expiration message.
The actor suspected to be behind the activity is unclear. It is suspected that the attack could be lawful interception based on a German police request, or an intrusion on the internal networks of both Hetzner and Linode.
The attack has allowed the perpetrators to perform any activity as if it originated from the authorized account. It is recommended users assume their previous 90 days of communication is compromised and users should check for unauthorized keys and change passwords.