Orange Spain suffered a major attack earlier this week after an attacker aliasing itself “Snow” obtained the “ridiculously weak” passwords for accounts that manage global routing tables and control the network that distributes the company’s internet traffic. I hit a roadblock.
Apparently, the administrator’s computer was infected with information-stealing malware and the “ripeadmin” password was collected during September 2023. The threat actor then sold it on the dark web, possibly to Snow. This attacker used this to log into his Orange girlfriend’s RIPE NCC account.
According to reports Ars TechnicaThe RIPE Network Coordination Center is one of five regional Internet registries responsible for managing and allocating IP addresses to Internet service providers, telecommunications organizations, and businesses that manage their own network infrastructure.
sour orange
Once logged in, the hacker begins making changes to the global routing table, which Orange uses to allocate traffic to different backbone providers. As expert Doug Madley vividly explains in a technical document, the changes didn’t make much of a difference at first, but soon “things got ugly.” here.
Simply put, Snow has turned an anti-root hijacking tool into a denial of service tool for Orange users.
Orange España is the country’s second largest mobile phone company, media reported. In the aftermath, RIPE said it is working on ways to improve account security.
The worst thing about this case is that Snow’s motives are still unknown. Given the attacker’s behavior in modifying the global routing table, researchers speculate that the attacker was simply experimenting with access and seeing what they could do. Additionally, attackers may have moved slowly to raise awareness about weak passwords and may have only escalated after seeing a muted response from businesses.