Carding 4 Carders
Professional
October 20, 2023 administrator jabber.ru (xmpp.ru) reported on the detection of a user traffic decryption attack (MITM) conducted for several months in the networks of German hosting providers Hetzner and Linode. These IT resources host the project server and auxiliary VPS environments. The attack was organized by redirecting traffic to a transit node that replaces the TLS certificate for XMPP connections encrypted using the STARTTLS extension.
Unknown participants in this attack issued a separate SSL certificate and proxied connections to TCP:5222.
According to OpenNet, the attack was detected due to an error of its organizers, who did not have time to renew the TLS certificate used for spoofing.
October 16 admin jabber.ru when I tried to connect to the service, I received an error message due to the certificate expiration, but the certificate hosted on the server was not expired. As a result, it turned out that the certificate received by the client differs from the certificate sent by the server.
The first fake TLS certificate was obtained on April 18, 2023 through the Let's Encrypt service, in which an attacker, having the ability to intercept traffic, was able to confirm access to sites jabber.ru and xmpp.ru.
First, check with the administration jabber.ru there was an assumption that the project server was compromised and spoofing was performed on its side. But the audit did not reveal any signs of hacking. At the same time, a short-term shutdown and activation of the network interface (NIC Link is Down/NIC Link is Up) was noticed in the server log, which was performed on July 18 at 12:58 and could indicate manipulations with connecting the server to the switch. It is noteworthy that two fake TLS certificates were generated a few minutes earlier-on July 18 at 12:49 and 12:38.
In addition, substitution was performed not only in the network of the Hetzner provider, which hosts the main server, but also in the network of the Linode provider, which hosts VPS environments with auxiliary proxies that redirect traffic from other addresses. Indirectly, it was found out that traffic to the 5222 network port (XMPP STARTTLS) in the networks of both providers is redirected through an additional host, which gave reason to believe that the attack was carried out by a person who has access to the providers ' infrastructure.
Theoretically, the substitution could have been made since April 18 (the date when the first forged certificate was created for jabber.ru), but confirmed cases of certificate substitution were recorded only from July 21 to October 19, all this time encrypted data exchange with jabber.ru and xmpp.ru it can be considered compromised.
The certificate substitution stopped after the trial began, tests were conducted, and a request was sent to the support service of Hetzner and Linode providers on October 18. At the same time, an additional transition when routing packets sent to port 5222 of one of the servers in Linode is still observed, but the certificate is no longer replaced.
The project team assumes that the attack could have been carried out with the knowledge of the providers at the request of law enforcement agencies, as a result of hacking the infrastructure of both providers, or by an employee who had access to both providers. With the ability to intercept and modify XMPP traffic, an attacker could gain access to all account - related data, such as the messaging history stored on the server, and could also send messages on someone else's behalf and make changes to other people's messages. Messages sent using end-to-end encryption (OMEMO, OTR, or PGP) can be considered non-compromised if the encryption keys are verified by users on both sides of the connection.
For users jabber.ru We recommend that you change your access passwords and check your OMEMO and PGP keys in your PEP repositories for possible spoofing.
Unknown participants in this attack issued a separate SSL certificate and proxied connections to TCP:5222.
According to OpenNet, the attack was detected due to an error of its organizers, who did not have time to renew the TLS certificate used for spoofing.
October 16 admin jabber.ru when I tried to connect to the service, I received an error message due to the certificate expiration, but the certificate hosted on the server was not expired. As a result, it turned out that the certificate received by the client differs from the certificate sent by the server.
The first fake TLS certificate was obtained on April 18, 2023 through the Let's Encrypt service, in which an attacker, having the ability to intercept traffic, was able to confirm access to sites jabber.ru and xmpp.ru.
First, check with the administration jabber.ru there was an assumption that the project server was compromised and spoofing was performed on its side. But the audit did not reveal any signs of hacking. At the same time, a short-term shutdown and activation of the network interface (NIC Link is Down/NIC Link is Up) was noticed in the server log, which was performed on July 18 at 12:58 and could indicate manipulations with connecting the server to the switch. It is noteworthy that two fake TLS certificates were generated a few minutes earlier-on July 18 at 12:49 and 12:38.
In addition, substitution was performed not only in the network of the Hetzner provider, which hosts the main server, but also in the network of the Linode provider, which hosts VPS environments with auxiliary proxies that redirect traffic from other addresses. Indirectly, it was found out that traffic to the 5222 network port (XMPP STARTTLS) in the networks of both providers is redirected through an additional host, which gave reason to believe that the attack was carried out by a person who has access to the providers ' infrastructure.
Theoretically, the substitution could have been made since April 18 (the date when the first forged certificate was created for jabber.ru), but confirmed cases of certificate substitution were recorded only from July 21 to October 19, all this time encrypted data exchange with jabber.ru and xmpp.ru it can be considered compromised.
The certificate substitution stopped after the trial began, tests were conducted, and a request was sent to the support service of Hetzner and Linode providers on October 18. At the same time, an additional transition when routing packets sent to port 5222 of one of the servers in Linode is still observed, but the certificate is no longer replaced.
The project team assumes that the attack could have been carried out with the knowledge of the providers at the request of law enforcement agencies, as a result of hacking the infrastructure of both providers, or by an employee who had access to both providers. With the ability to intercept and modify XMPP traffic, an attacker could gain access to all account - related data, such as the messaging history stored on the server, and could also send messages on someone else's behalf and make changes to other people's messages. Messages sent using end-to-end encryption (OMEMO, OTR, or PGP) can be considered non-compromised if the encryption keys are verified by users on both sides of the connection.
For users jabber.ru We recommend that you change your access passwords and check your OMEMO and PGP keys in your PEP repositories for possible spoofing.
