XMPP Instant Messaging Service

New findings have shed light on what's said to be a lawful attempt to covertly intercept traffic originating from jabber[.]ru (aka xmpp[.]ru), an XMPP-based instant messaging service, via servers hosted on Hetzner and Linode (a subsidiary of Akamai) in Germany.

"The attacker has issued several new TLS certificates using Let's Encrypt service which were used to hijack encrypted STARTTLS connections on port 5222 using transparent [man-in-the-middle] proxy," a security researcher who goes by the alias ValdikSS said earlier this week.

"The attack was discovered due to the expiration of one of the MiTM certificates, which haven't been reissued."

Cybersecurity

Evidence gathered so far points to the traffic redirection being configured on the hosting provider network, ruling out other possibilities, such as a server breach or a spoofing attack.

The wiretapping is estimated to have lasted for as long as six months, from April 18, 2023, although it's been confirmed to have taken place since at least July 21, 2023, and until October 19, 2023.

Signs of suspicious activity were first detected on October 16, 2023, when one of the UNIX administrators of the service received a "Certificate has expired" message upon connecting to it.

The threat actor is believed to have stopped the activity after an investigation into the MiTM incident began on October 18, 2023. It's not immediately clear who is behind the attack, but it's suspected to be a case of lawful interception based on a German police request.

Another hypothesis, however unlikely but not impossible, is that the MiTM attack is an intrusion on the internal networks of both Hetzner and Linode, specifically singling out jabber[.]ru.

"Given the nature of the interception, the attackers have been able to execute any action as if it is executed from the authorized account, without knowing the account password," the researcher said.

"This means that the attacker could download the account's roster, lifetime unencrypted server-side message history, send new messages or alter them in real time."

The Hacker News has reached out to Akamai and Hetzner for further comment, and we will update the story if we hear back.

Users of the service are recommended to assume that their communications over the past 90 days are compromised, as well as "check their accounts for new unauthorized OMEMO and PGP keys in their PEP storage, and change passwords."

Cybersecurity

The development comes as The Citizen Lab detailed security shortcomings in signaling protocols used by mobile network operators for international roaming can be exploited by surveillance actors, law enforcement, and organized crime groups to geolocate devices.

What's more, vulnerabilities in parsing ASN.1 messages (CVE-2022-43677, CVSS score: 5.5) could be weaponized as an attack vector to cross over from User Plane to Control Plane and even disrupt critical infrastructure that rely on 5G technologies.

"The CVE-2022-43677 vulnerability exploits weak CUPS implementation in free5gc to trigger a Control Plane denial-of-service (DoS) through user traffic," Trend Micro researcher Salim S.I. said in a report published this month.

"A successful DoS attack on the packet core disrupts the connectivity of the entire network. In critical sectors such as defense, policing, mining, and traffic control, disruption to connectivity [could] lead to dire consequences. In factories that use real-time sensors for manufacturing processes, this could result in defective products being created."


Found this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.