Infostealer malware, weak password leaves Orange Spain RIPE for plucking
Updated A weak password exposed by infostealer malware is being blamed after a massive outage at Orange Spain disrupted around half of its network’s traffic.
The network provider is Spain’s second most popular and on Wednesday evening confirmed its RIPE account had been breached by an attacker.
RIPE is the regional database that contains all IP addresses and their owners in Europe, the Middle East, and Central Asia.
The attack was claimed by an individual operating under the alias of “Snow,” who published a series of screenshots explaining how they supposedly carried out the attack.
Researchers used the information in the shared images to determine that the RIPE account had been accessed after the attacker harvested admin credentials using infostealer malware. The malware had infected the account of an Orange Spain employee.
The password was revealed to be “ripeadmin” – a simple and easily guessable password for an important account.
Researchers at Hudson Rock described the password as “ridiculously weak” before confirming with “high certainty” this was the method used to breach the RIPE account.
“This attack again illustrates how a single infostealer infection could be detrimental to any company,” the company said in a post.
“It is important to routinely check your organizational exposure to infostealer infections which are the top initial attack vector for threat actors to access corporate and customer accounts.”
Infosec specialist Kevin Beaumont also noted that RIPE does not mandate 2FA or MFA use, and it wasn’t enabled at Orange Spain, whereas North America’s equivalent database, ARIN, has mandated it since February 2023.
“Also, there is no sane password policy at RIPE – you can use borisjohnson as your password, in other words, it is a powder keg,” he claimed.
“The account in question has been on an infostealer since August last year, with the details resold onwards.”
Following the RIPE account breach, Snow then appears to have hijacked the network provider’s border gateway protocol (BGP) traffic, which led to the service outage experienced by customers.
The attacker modified the autonomous system (AS) number associated with Orange Spain’s IP address and changed the route origin authorizations (ROAs) – cryptographically signed objects that help to securely verify that announced BGP routes are associated with the correct origin – in turn breaking the network’s BGP routing.
“Orange Spain has had their /12 [ROA records] (and likely others) broken by (what appears to be) someone breaking into their RIPE account and making RPKI ROA’s to somewhere else,” blogged Ben Cartwright-Cox, director at Port 179, the company behind network and monitoring and analytics tool BGP.Tools.
“Current reachability of impacted prefixes is pretty poor… the current ROA is pointing to AS49581 (“Ferdinand Zink trading as Tube-Hosting”).”
“Snow” documented the attack via a freshly minted X account, goading Orange Spain and encouraging it to reach out and request the new RIPE admin credentials after they were breached and changed.
Orange Spain confirmed its RIPE account was breached via its X account, adding that service was restored shortly after acknowledging the outage.
There is no evidence to suggest any customer or client data was compromised during the incident, and the disruption was to its services only, Orange added.
Beaumont said he’s seen credentials to thousands of different RIPE accounts on infostealer marketplaces, and expects a wave of similar attacks to take place now the incident at Orange Spain has been publicized. ®
Updated at 16.32 on January 4, 2024, to add:
Orange has sent us a statement.
“The problem has been solved yesterday and the appropriate measures have been taken to prevent such an incident from happening again. As you know, Orange’s account at the IP network coordination centre (RIPE) was improperly accessed, affecting the browsing of some of our customers. The service has been restored since yesterday.
“We confirm that in no case have our customers’ data been compromised, only the browsing of some services has been affected.”
READ MORE HERE