On January 3, mobile network operator Orange Spain experienced several hours of network outage after threat actors used administrator credentials obtained through stolen malware to hijack Border Gateway Protocol (BGP) traffic.
“The IP Network Coordination Center’s (RIPE) Orange account was inappropriately accessed, impacting the browsing of some of our customers,” the company said. explain In a message posted on X (formerly Twitter).
However, the company stressed that no personal data was compromised and that the incident only affected some browsing services.
The threat actor’s name on X is Ms_Snow_OwO, claim Get access to your Orange Spain RIPE account. RIPE is a Regional Internet Registration Authority (RIR) that oversees the allocation and registration of IP addresses and Autonomous System (AS) numbers in Europe, Central Asia, Russia and Western Asia.
“Threat actors used compromised accounts to modify AS numbers belonging to Orange IP addresses, causing Orange to experience significant disruption and a 50% traffic loss,” said cybersecurity firm Hudson Rock.
Further analysis revealed that the email address of the administrator account was associated with the computer of an Orange Spain employee who was infiltrated by the Raccoon Stealer malware on September 4, 2023.
It’s unclear how the thieves gained access to employees’ systems, but this type of malware family is typically spread through malvertising or phishing scams.
“Among the company credentials identified on the machine, the employee obtained specific credentials for ‘https://access.ripe.net’ using an email address compromised by a threat actor (adminripe-ipnt@orange.es),” the company added road.
To make matters worse, the password used to protect the Orange RIPE administrator account is “ripeadmin”, which is both weak and predictable.
Security researcher Kevin Beaumont further pointed out that RIPE neither enforces two-factor authentication (2FA) nor enforces a strong password policy on its accounts, making it vulnerable to abuse.
“Currently, the infostealer marketplace is selling thousands of credentials to access.ripe.net, which essentially allows you to repeat this scenario across organizations and ISPs across Europe,” Beaumont said.
RIPE is currently investigating whether any other accounts have been similarly affected and said affected account holders will be contacted directly. It also urges RIPE NCC Access account users to update their passwords and enable multi-factor authentication for their accounts.
“In the long term, we are accelerating the implementation of 2FA, making it mandatory for all RIPE NCC Access accounts as soon as possible and introducing various verification mechanisms,” Add to.
This incident highlights the consequences of infection by information stealers and the need for organizations to take steps to protect their networks from known initial attack vectors.
