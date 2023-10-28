New discoveries have highlighted about what appears to be a legal attempt to surreptitiously intercept traffic from jabber[.]ru (also known as xmpp[.]ru), an instant messaging service based on XMPPvia servers hosted on Hetzner and Linode (a subsidiary of Akamai) in Germany.

How the interception of messages based on the XMPP protocol occurred

“The attacker issued several new ones TLS certificates using the service Let’s Encryptwhich were used to hijack encrypted STARTTLS connections on port 5222 via an open proxy [man-in-the-middle]“, has declared this week a security researcher who goes by the pseudonym ValdikSS. “LThe attack was discovered due to the expiration of one of the MiTM certificates, which was not renewed.”

Evidence gathered so far indicates that network traffic redirection was configured on the hosting provider’s network, ruling out other possibilities, such as a server breach or spoofing attack.

It is estimated that the interception took place for a period of at least six monthsapproximately from April 18 to October 19, although it has been confirmed to occur from at least July 21, 2023 through October 19, 2023.

Signs of suspicious activity were first detected on October 16, 2023, when one of the service’s UNIX administrators received a “Certificate expired” message when connecting.

It is believed that the hacker who stopped its activity after the start of the investigation into the MiTM accident on the application with XMPP protocol on October 18, 2023; however it is unclear who is behind the attack, but it is suspected that this is a case of legal interception based on a request from the German police.

It should be noted, however, that one of the distinctive features of XMPP it’s its decentralized nature, which means it is not controlled by a single provider or central entity; users can communicate across XMPP servers, which may belong to different organizations, but can still communicate with each other and this decentralized aspect is one of the reasons why XMPP has been used in many instant messaging and online chat services.

Another hypothesis, although unlikely but not impossible, is that the MiTM attack is an intrusion into Hetzner and Linode’s internal networks, specifically targeting jabber[.]ru.

“Given the type of interception, the attackers were able to perform any action as if it were performed by the authorized account, without knowing your account password“, declared the researcher. “This means that the attacker could download the account’s contact list, the history of unencrypted server-side messages, send new messages or edit them in real time.”

Yes recommend to users of the service to assume that their communications for the past 90 days have been compromisedas well as “check their accounts for new unauthorized OMEMO and PGP keys in their PEP storage and to change passwords“.

Conclusion

This case of communications interception on jabber[.]ru raises serious concerns about online security and privacy, therefore the discovery of a MiTM attack that lasted for months highlights the importance of constant checks on the security of messaging services.

The possibility that this could be a legal action by a state (Germany in this case) raises questions about the balance between security and privacy; Users should be vigilant, carefully review their recent communications, and take steps to strengthen the security of their online accounts and the story, therefore, underlines the need for constant attention to IT security and privacy protection.