How Attackers Eavesdropped on a Popular Messaging Platform for Months

How Attackers Eavesdropped on a Popular Messaging Platform for Months

 By Charles Joseph | Cybersecurity Advocate
 Last update: November 25, 2023

In a shocking revelation, cybersecurity experts have unveiled a covert interception attempt on jabber[.]ru, an XMPP-based instant messaging platform. XMPP, which stands for Extensible Messaging and Presence Protocol, is a widely used protocol for online messaging. For our readers less familiar with tech jargon, think of XMPP as the language or method through which certain chat apps communicate.

The interception, which security experts say was probably a lawful activity based on a German police request, primarily focused on traffic via servers hosted on two platforms: Hetzner and Linode. The latter is a subsidiary of a global content delivery network, Akamai.

Stay One Step Ahead of Cyber Threats

Want to Be the Smartest Guy in the Room? Get the Latest Cybersecurity News and Insights.
We respect your privacy and you can unsubscribe anytime.

ValdikSS, a well-known security researcher, shed light on the technical details. The attacker, he revealed, took advantage of new TLS (Transport Layer Security) certificates from a service named “Let’s Encrypt”. In simpler terms, TLS certificates are a form of encryption that ensures data exchanged between your browser and the website you’re visiting remains private. By misusing these certificates, the attacker could intercept encrypted messages sent on port 5222 through a technique called a transparent man-in-the-middle (MiTM) proxy. A MiTM attack, for the uninitiated, is a lot like eavesdropping. Imagine if someone secretly relayed your private conversations to another person without you noticing – that’s essentially what’s happening here, but digitally.

The malicious activity was ongoing for an estimated six months, starting from April 18, 2023. The discovery of the attack came somewhat fortuitously. An admin, while connecting to the service on October 16, 2023, received a notification that a certificate had expired. Certificates, like our ID cards, need renewal. If they expire and aren’t updated, they can raise red flags.

The gravity of the situation is immense. Due to the nature of this attack, the perpetrator could act as an authorized user without even needing the account password. They could view chat histories, and modify or send new messages – a grave violation of user privacy.

Users of jabber[.]ru are now faced with an unsettling recommendation: to operate under the assumption that any communication over the past three months might be compromised. Additional precautions include checking for unauthorized encryption keys and a much-needed password change.

In a broader cybersecurity context, other concerns have surfaced. The Citizen Lab recently pointed out vulnerabilities in mobile network signaling protocols. In layman’s terms, these systems allow our mobile devices to communicate when we travel abroad. Exploits here could allow malicious actors, from surveillance groups to organized crime, to determine the location of devices. Moreover, a particularly alarming vulnerability named CVE-2022-43677 could even disrupt critical networks based on 5G technologies. Such disruptions in crucial sectors like defense or manufacturing could have disastrous outcomes.

"Amateurs hack systems, professionals hack people."
-- Bruce Schneier, a renown computer security professional