Friday, November 15, 2024

‘Ridiculously weak’ passwords spell disaster for Spain’s second largest mobile operator

Must read


'Ridiculously weak' passwords spell disaster for Spain's second largest mobile operator

Getty Images

Orange España, Spain’s second-largest mobile phone company, suffered a major outage on Wednesday. An unknown person obtained a “ridiculously weak” password and used it to access an account that manages the global routing table that controls the network that distributes the company’s Internet traffic. researchers said.

The hijacking began at approximately 9:28 a.m. UTC (approximately 2:28 a.m. Pacific Time) when the party logged into Orange’s RIPE NCC account using the password “ripeadmin” (without the quotes). Ta. The RIPE Network Coordination Center is one of five regional Internet registries responsible for managing and allocating IP addresses to Internet service providers, telecommunications organizations, and businesses that manage their own network infrastructure. RIPE serves 75 countries in Europe, the Middle East, and Central Asia.

“Things got worse.”

The password was revealed after the party, using the name Snow, posted an image on social media showing the orange.es email address associated with the RIPE account. RIPE said it is working on ways to strengthen account security.

Screenshot showing the RIPE account and its associated orange.es email address.
Expanding / Screenshot showing the RIPE account and its associated orange.es email address.

Security firm Hudson Rock inserted the email address into a database it maintained to track credentials sold in online bazaars. The security company said in a post that the usernames and “ridiculously weak” passwords were collected by information-stealing malware that had been installed on Orange’s computers since September. The passwords were then available for sale on his Infostealer marketplace.

A partially redacted screenshot from the Hudson Rock database showing Orange RIPE account credentials.
Expanding / A partially redacted screenshot from the Hudson Rock database showing Orange RIPE account credentials.

H Judson Locke

Researcher Kevin Beaumont said thousands of credentials securing other RIPE accounts are also available on such marketplaces.

Logging into Orange’s RIPE account, Snow made changes to the global routing table that mobile operators rely on to specify which backbone providers are authorized to carry traffic to different regions of the world. These tables are managed using Border Gateway Protocol (BGP), which connects one regional network to the rest of the Internet. Specifically, Snow has added some new ROAs, which stands for Route Origin Authorization. These entries allow an “autonomous system” such as Orange’s AS12479 to specify a large number of other autonomous systems or IP addresses to distribute its traffic to different regions of the world.

This change makes sense because initially, announcements for the IP addresses added by ROA Snow (93.117.88.0/22, 93.117.88.0/21, and 149.74.0.0/16) were already coming from Orange’s AS12479. It had no effect. A few minutes later, Snow added his ROA to his five additional routes. According to a detailed coverage of the event by his BGP expert Doug Madory of the security and networking company Kentik, all but one of his came from Orange AS, again with no traffic impact. was.

Creating an ROA of 149.74.0.0/16 was the first thing Snow did that caused problems. This is because the maximum prefix length is set to 16, which disables smaller routes that use address ranges.

“All routes more specific than 16 (prefix length longer) are now disabled,” Madory told Ars in an online interview. “So routes like 149.74.100.0/23 became invalid and started being filtered. Then [Snow] We created more ROAs to cover those routes. why? I don’t know. I think at first I was just joking around. Before ROA was created, there was no ROA that claimed anything about this address range. ”



Source link

More articles

LEAVE A REPLY

Please enter your comment!
Please enter your name here

Latest article