Reports of a possible recent interception of the public XMPP service jabber.ru have raised a lot of questions for people about how the attack happened, and whether it could affect them too. We have some answers.
A TTL of 64 supeficially suggests to me that the attack occurred on the server / in the hosting location. Network hardware is supposed to decrease it on every hop, is it not?
18 July 2023 issuing time is about the same when Hetzner server has lost network link for several seconds.
Seems to support a hypothesis that the attack occurred at the hosting location.
The attacker managed to issue multiple SSL/TLS certificates via Let’s Encrypt for jabber.ru and xmpp.ru domains since 18 Apr 2023
The Man-in-the-Middle attack for jabber.ru/xmpp.ru client XMPP traffic decryption confirmed to be in place since at least 21 July 2023 for up to 19 Oct 2023, possibly (not confirmed) since 18 Apr 2023, affected 100% of the connections to XMPP STARTTLS port 5222 (not 5223)
The attacker failed to reissue TLS certificate and MiTM proxy started to serve expired certificate on port 5222 for jabber.ru domain (Hetzner)
Too bad they didn’t discover how the forged certificate was obtained.
My guess, since those were .ru domains and that’s a hot topic: spooks from three letter agencies spooking around. Either Russian agencies trying to catch dissidents or other agencies trying to catch someone working for Russian agencies.
A TTL of 64 supeficially suggests to me that the attack occurred on the server / in the hosting location. Network hardware is supposed to decrease it on every hop, is it not?
Seems to support a hypothesis that the attack occurred at the hosting location.
Too bad they didn’t discover how the forged certificate was obtained.
My guess, since those were .ru domains and that’s a hot topic: spooks from three letter agencies spooking around. Either Russian agencies trying to catch dissidents or other agencies trying to catch someone working for Russian agencies.
I don’t think they forged certifs, they obtained valid ones because they controlled the machine behind the IP?
Apparently that server was widely for “dark market” sort of things. Isn’t a “simple” police investigation more likely?
Perhaps indeed.