Incoming TCP connections to port 5222 are altered: they have different source port, SEQ/ACK numbers, and appear to arrive without any intermediate routing hops (TTL=64).It is based on other private key and was never issued by the server’s acme.sh certificate issuing script.The expired certificate is not present on the server.The software serves proper, non-expired certificate in the network traffic. All the certificates seemed to be up-to-date on the server, but the connection to port 5222 (XMPP STARTTLS) was presenting an outdated certificate to the client.ĭuring all kinds of software, network and configuration checks with the help of other professionals and ejabberd software author, it was discovered that: Oxpa, experienced UNIX administrator who is in charge for the oldest Russian XMPP service established in year 2000, was puzzled by “Certificate has expired” message upon connecting to the service on 16 October 2023. We believe this is lawful interception Hetzner and Linode were forced to setup. The wiretapping may have lasted for up to 6 months overall (90 days confirmed). There are no indications of the server breach or spoofing attacks on the network segment, quite the contrary: the traffic redirection has been configured on the hosting provider network. The attack was discovered due to expiration of one of the MiTM certificates, which haven’t been reissued. The attacker has issued several new TLS certificates using Let’s Encrypt service which were used to hijack encrypted STARTTLS connections on port 5222 using transparent MiTM proxy. TL DR: we have discovered XMPP (Jabber) instant messaging protocol encrypted TLS connection wiretapping (Man-in-the-Middle attack) of (aka ) service’s servers on Hetzner and Linode hosting providers in Germany.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |