The administrator of the Jabber server jabber.ru (xmpp.ru) identified an attack to decrypt user traffic (MITM), carried out over a period of 90 days to 6 months in the networks of German hosting providers Hetzner and Linode, which host the project server and auxiliary VPS. environment. The attack is organized by redirecting traffic to a transit node that replaces the TLS certificate for XMPP connections encrypted using the STARTTLS extension.
The attack was noticed due to an error by its organizers, who did not have time to renew the TLS certificate used for the spoofing. On October 16, the administrator of jabber.ru, when trying to connect to the service, received an error message due to the expiration of the certificate, but the certificate located on the server was not expired. As a result, it turned out that the certificate the client received was different from the certificate sent by the server. The first fake TLS certificate was obtained on April 18, 2023 through the Let's Encrypt service, in which the attacker, being able to intercept traffic, was able to confirm access to the sites jabber.ru and xmpp.ru.
At first, there was an assumption that the project server had been compromised and a substitution was being carried out on its side. But the audit did not reveal any traces of hacking. At the same time, in the log on the server, a short-term switching off and on of the network interface (NIC Link is Down/NIC Link is Up) was noticed, which was performed on July 18 at 12:58 and could indicate manipulations with the connection of the server to the switch. It is noteworthy that two fake TLS certificates were generated a few minutes earlier - on July 18 at 12:49 and 12:38.
In addition, the substitution was carried out not only in the network of the Hetzner provider, which hosts the main server, but also in the network of the Linode provider, which hosted VPS environments with auxiliary proxies that redirect traffic from other addresses. Indirectly, it was found that traffic to network port 5222 (XMPP STARTTLS) in the networks of both providers was redirected through an additional host, which gave reason to believe that the attack was carried out by a person with access to the providersβ infrastructure.
Theoretically, the substitution could have been carried out from April 18 (the date of creation of the first fake certificate for jabber.ru), but confirmed cases of certificate substitution were recorded only from July 21 to October 19, all this time encrypted data exchange with jabber.ru and xmpp.ru can be considered compromised . The substitution stopped after the investigation began, tests were conducted and a request was sent to the support service of providers Hetzner and Linode on October 18. At the same time, an additional transition when routing packets sent to port 5222 of one of the servers in Linode is still observed today, but the certificate is no longer replaced.
It is assumed that the attack could have been carried out with the knowledge of the providers at the request of law enforcement agencies, as a result of hacking the infrastructures of both providers, or by an employee who had access to both providers. By being able to intercept and modify XMPP traffic, the attacker could gain access to all account-related data, such as messaging history stored on the server, and could also send messages on behalf of others and make changes to other people's messages. Messages sent using end-to-end encryption (OMEMO, OTR or PGP) can be considered not compromised if the encryption keys are verified by users on both sides of the connection. Jabber.ru users are advised to change their access passwords and check the OMEMO and PGP keys in their PEP storages for possible substitution.
Source: opennet.ru