October 28, 2023 at 04:18AM
New findings reveal a covert attempt to intercept traffic from the instant messaging service jabber[.]ru, using servers in Germany. The attacker used Let’s Encrypt TLS certificates to hijack encrypted connections. The wiretapping is estimated to have lasted for six months, from April to October 2023. The investigation suggests a case of lawful interception based on a German police request. Users are advised to assume their communications are compromised.
Key Points from Meeting Notes:
– There has been a discovery of a covert attempt to intercept traffic from the XMPP-based instant messaging service jabber[.]ru.
– The attack involved the use of new TLS certificates issued through the Let’s Encrypt service to hijack encrypted STARTTLS connections.
– The wiretapping activity is believed to have occurred from April 18 to October 19, with signs of suspicious activity first detected on October 16.
– Evidence suggests that the traffic redirection was configured on the hosting provider network, ruling out other potential causes like server breaches or spoofing attacks.
– The attack is suspected to be a case of lawful interception based on a German police request, although an intrusion on the internal networks of Hetzner and Linode is also being considered as a possibility.
– The attacker had the ability to execute actions on the compromised accounts without knowing the account password, such as downloading account rosters, accessing unencrypted message history, sending or modifying messages in real time.
– Akamai and Hetzner have been contacted for further comments on the incident.
– Users of the service are advised to assume that their communications over the past 90 days are compromised and take precautions such as checking for unauthorized keys and changing passwords.