Russian XMPP-based instant messaging service jabber[.]ru was discovered to have been wiretapped between April 18 and Oct. 19 by threat actors using Germany-based Hetzner and Linode servers, reports The Hacker News.
Numerous new TLS certificates have been released by attackers to facilitate encrypted STARTTLS connection takeovers on port 5222 through a transparent man-in-the-middle proxy, according to security researcher ValdikSS. Such wiretapping activity, which is believed to have been halted when an investigation began on Oct. 18, may either be a legal interception conducted by the German police or an MiTM attack against Hetzner and Linode networks, said the researcher.
"Given the nature of the interception, the attackers have been able to execute any action as if it is executed from the authorized account, without knowing the account password. This means that the attacker could download the account's roster, lifetime unencrypted server-side message history, send new messages, or alter them in real time," the researcher added.
Ukraine has been targeted by Russian threat actors in the new Operation Texontodisinformation campaign that also involved spear-phishing and credential exfiltration tactics, according to The Hacker News.
Record high ransomware and data extortion incidents experienced by Western nations last year have prompted former National Security Agency Director Michael Rogers to call for a reevaluation of their cybersecurity defense strategy.