Mobile network operator Orange Spain suffered several hours of internet outage on January 3 after threat actors hijacked Border Gateway Protocol (BGP) traffic using administrator credentials obtained through stealer malware. I was visited.
The company said, “The Orange account of the IP Network Coordination Center (RIPE) was accessed without authorization, affecting the browsing of some customers.” Said In a message posted on X (formerly Twitter).
However, the company emphasized that no personal data was compromised and that the incident only affected some browsing services.
A threat actor operating under the name Ms_Snow_OwO on X; claimed Obtained access to Orange Spain’s RIPE account. RIPE is a regional Internet registry (RIR) that oversees the assignment and registration of IP addresses and autonomous system (AS) numbers in Europe, Central Asia, Russia, and Western Asia.
Cybersecurity firm Hudson Rock said: “The attackers used the stolen accounts to change the AS numbers belonging to Orange’s IP addresses. As a result, Orange experienced significant disruption and a 50% loss of traffic. ” he said.
Further analysis revealed that the administrator account’s email address was associated with an Orange Spain employee’s computer that was compromised with the Raccoon Stealer malware on September 4, 2023.
At this time, it is unclear how the thieves got into the employee’s systems, but malware families like this are typically spread through malvertising and phishing scams.
“Among the corporate credentials identified on the machine, the employee used an email address revealed by the threat actor (adminripe-ipnt@orange.es) to send a message to “https://access.ripe. net,” the company added.
To make matters worse, the password used to secure Orange’s RIPE administrator account is “ripeadmin,” which is weak and easily predicted.
Security researcher Kevin Beaumont also noted that RIPE does not require two-factor authentication (2FA) or enforce strong password policies on accounts, making it ripe for exploitation.
“Currently, the infostealer marketplace has sold thousands of credentials to access.ripe.net, making it possible to replicate this with virtually any organization or ISP across Europe,” Beaumont said. Stated.
RIPE said it is currently investigating whether other accounts were similarly affected and will contact affected account holders directly. We are also asking users of RIPE NCC Access accounts to update their passwords and enable multi-factor authentication for their accounts.
“In the long term, we are fast-tracking the implementation of 2FA to make it mandatory for all RIPE NCC access accounts as soon as possible and introduce various verification mechanisms.” Added.
This incident highlights the impact of Infostealer infections and the need for organizations to take steps to protect their networks from known initial attack vectors.