The administrator of the Jabber server Jabber.ru (XMPP.ru) has reported an attack on the decoding of user traffic (MITM) that occurred over a period of 90 days to 6 months. The attack targeted the networks of German hosting providers Hetzner and Linode, where the project server and auxiliary VPS-rejection are located. The attack involved redirecting traffic to a transit node that replaced the TLS certificate for XMPP connections, which were encrypted using the Starttls expansion.
The attack became evident due to a mistake made by the attackers. They failed to extend the TLS certificate used for substitution. On October 16, the administrator of Jabber.ru received an error message when attempting to connect to the service, indicating that the certificate had expired. However, the certificate placed on the server had not yet expired. Subsequent investigation revealed that the certificate received by the client differed from the certificate sent by the server. The first fake TLS certificate was received on April 18, 2023, through the Let’s Encrypt service. The attacker, who had the ability to intercept traffic, used this certificate to gain access to the Jabber.ru and XMPP.ru sites.
Initially, there was speculation that the project server had been compromised and that the substitution occurred on its side. However, an audit of the server did not uncover any signs of hacking. It was observed, though, that the network interface had been briefly shutdown and reactivated on July 18 at 12:58, as indicated in the server’s log. This activity could suggest manipulations with the server’s connection to the switch. Notably, two fake TLS certificates were generated just minutes before the shutdown – on July 18 at 12:49 and 12:38.
In addition to the Hetzner provider’s network, where the main server is hosted, the substitution also occurred on the network of the Linode provider. Linode hosted the VPS-renovation with an auxiliary proxy that redirected traffic from other addresses. The discovery that traffic on the 5222 network port (XMPP Starttls) in both provider networks was redirected through an additional host suggests that the attack may have been carried out by an individual with access to the infrastructure of these providers.