A large-scale outage in Orange Spain that disrupted nearly half of network traffic was blamed on information-stealing malware exposing weak passwords.
The network provider, Spain’s second most popular, confirmed on Wednesday night that its RIPE account had been compromised by attackers.
RIPE is a regional database containing all IP addresses and their owners in Europe, the Middle East, and Central Asia.
The attack was claimed by an individual who goes by the alias “Snow” and released a series of screenshots explaining how he carried out the attack.
Researchers used information in the shared image to determine that the attackers accessed the RIPE accounts after harvesting administrator credentials using infostealer malware. The malware infected Orange Spain employee accounts.
The password turned out to be “ripeadmin”. This is a simple, easy-to-guess password for an important account.
Hudson Rock researchers confirmed with a “high degree of certainty” that this was the method used to compromise the RIPE account, after describing the password as “ridiculously weak.”
“This attack once again shows how detrimental a single information theft infection can be to any company,” the company said in a post.
“It’s important to regularly check if your organization is exposed to Infostealer infections. Infostealer infections are the most important initial attack vector for threat actors to gain access to corporate and customer accounts. is.”
Infosec specialist Kevin Beaumont also noted that RIPE does not mandate the use of 2FA or MFA, and while it was not enabled in Orange Spain, its North American equivalent database, ARIN, will require it from February 2023. I pointed it out.
“Also, RIPE doesn’t have a decent password policy. You can use borisjohnson as your password. In other words, it’s a powder keg,” he claimed.
“The account in question had been exfiltrating information since August last year, and the details had since been resold.”
After the RIPE account breach, Snow appears to have hijacked the network provider’s Border Gateway Protocol (BGP) traffic, leading to service outages experienced by customers.
The attacker changed the autonomous system (AS) number associated with Orange Spain’s IP address and added a Route Origin Authentication (ROA), which securely verifies that announced BGP routes are associated with the correct origin. (cryptographically signed objects useful for) and disrupted the network. BGP routing.
“Orange Spain celebrated /12 [ROA records] “It was broken by someone breaking into the RIPE account and sending the RPKI ROA elsewhere (and probably others as well),” said Port 179, a company that develops the network and monitoring and analysis tool BGP. director Ben Cartwright-Cox wrote on his blog. tool.
“The current reachability of the affected prefixes is quite poor…The current ROA points to AS49581 (“Ferdinand Zink trading as Tube Hosting”). ”
“snow” documented the attack Via the newly created X account, we encouraged Orange Spain to contact and request new RIPE administrator credentials once they had been compromised and modified.
orange spanish Confirmed The company added that its RIPE account was compromised via the X account, and that service was restored shortly after confirming the outage.
Orange added that there is no evidence to suggest that customer or client data was compromised during this incident, and the disruption occurred only to the service.
Beaumont said he has seen the credentials of thousands of different RIPE accounts on the infostealer marketplace and expects a similar wave of attacks to occur now that the Orange Spain incident has been made public. Ta. ®