Breaking News: Security Breach at jabber.ru
A recent discovery has revealed a covert attempt to intercept traffic from jabber.ru, an XMPP-based instant messaging service. The attackers used servers hosted in Germany to pull off this operation. They managed to issue new TLS certificates via Let’s Encrypt, which allowed them to hijack encrypted STARTTLS connections.
This attack went undetected for several months until one of the service’s administrators received an expired certificate message. The wiretapping began as early as July 2023 and continued for about six months. The attackers redirected the traffic on the hosting provider network, eliminating other possible explanations like server breaches or spoofing attacks.
What’s especially concerning is the level of access the attackers had. They could perform actions within the service as if they were authorized users. This included accessing account rosters, viewing unencrypted message history, and sending or altering messages in real-time, all without needing account passwords.
The culprits behind this attack are still unknown, but initial suspicions suggest it might be a case of lawful interception based on a German police request. However, we can’t completely rule out the possibility of an intrusion on the internal networks of the hosting providers, Hetzner and Linode, specifically targeting jabber.ru.
For users of the affected service, it’s strongly recommended to assume that their communications over the past 90 days may have been compromised. Also, check your accounts for any new unauthorized OMEMO and PGP keys in your PEP storage and change your passwords.
While we await further details from Akamai and Hetzner, it’s vital for all users to stay vigilant about their online security and privacy. Stay updated on the latest developments and security measures to protect your personal information and maintain trust in online communication platforms.
FAQ:
Q: Why was jabber.ru targeted in this attack?
A: The attack aimed to intercept traffic from the XMPP-based instant messaging service, jabber.ru.
Q: How did the attackers carry out this attack?
A: They used servers in Germany to issue new TLS certificates via Let’s Encrypt, enabling them to hijack encrypted STARTTLS connections.
Q: How long did this wiretapping last?
A: It is estimated to have occurred over about six months, starting in July 2023.
Q: How was this attack discovered?
A: The attack came to light when one of the service administrators received an expired certificate message.
Q: What kind of access did the attackers have?
A: The attackers had significant access, essentially allowing them to act within the service as if they were authorized users. This included viewing account rosters, accessing unencrypted message history, and sending or altering real-time messages.
Q: Who is responsible for this attack?
A: The identity of the attackers is still unclear. Initial suspicions point toward lawful interception, possibly at the request of German law enforcement. However, there is the possibility of an intrusion on the internal networks of the hosting providers, which cannot be ruled out.
Recent Comments