Hacker Hijacks Orange Spain RIPE Account to Cause BGP Havoc

“Orange Spain suffered an internet outage today after a hacker breached the company's RIPE account to misconfigure BGP routing and an RPKI configuration. The routing of traffic on the internet is handled by Border Gateway Protocol (BGP), which allows organizations to associate their IP addresses with autonomous system (AS) numbers and advertise them to other routers they are connected to, known as their peers” (Bleeping Computer, 2023). BGP advertisements are used to create a routing table that reaches all other edge routers on the Internet, and allows networks to know the best route to send traffic to a particular IP address.

If a rogue network announces IP ranges associate with another AS number, it is possible to hijack those IP ranges and redirect traffic to malicious websites or networks. BGP is built on trust, and the routing table will be updated based on which advertiser has the shortest and most specific route. To prevent these sort of attacks, a new standard called Resource Public Key Infrastructure (RPKI) was created that acts as a cryptographic solution to BGP hijacking. By enabling RPKI with a routing body such as ARIN or RIPE, a network can cryptographically certify that only routers under their control can advertise an AS number and their associated IP addresses.

A threat actor named ‘Snow” breached the RIPE account for an ISP called Orange Spain and modified their AS number associated with the company’s IP addresses, and enabled an invalid RPKI configuration on them. They then tweeted to the company telling them to contact them about getting new credentials. It is unclear if they are requesting a ransom to be paid.

Security Officer Comments:
By announcing the IP addresses on someone else’s AS number and enabling RPKI, the threat actor essentially caused the IP addresses to no longer be announced properly on the Internet. This caused performance issues on Orange Spain’s network.

Orange Spain has confirmed their RIPE account was hacked and says they are working to restore services. The ISP says none of their clients data is compromised, but navigation of some services is impacted.

While an investigation to how the threat actor gained access to the RIPE account is underway, it is believed Orange Spain did not have two-factor authentication enabled on the account. The threat actor provided a clue in a screenshot posted to Twitter that contained the hacked account's email address. Alon Gal of cybersecurity intelligence service Hudson Rock told BleepingComputer that this email and an associated password for the RIPE account were found in a list of accounts stolen by information-stealing malware.

"The Orange employee had their computer infected by a Raccoon type Infostealer on September 4th 2023, and among the corporate credentials identified on the machine, the employee had specific credentials to "https://access.ripe.net" using the email address which was revealed by the threat actor (adminripe-ipnt@orange.es)," explains research from Hudson Rock. According to Gal, the password for the account was 'ripeadmin,' which is a very easy password for a critical account. The hacker, Snow, later confirmed Hudson Rock's findings, saying on Twitter that they found the account in public leaks of stolen data. (Bleeping Computer, 2023). "For those wondering how i acquired access to the account in the first place, let me just say that the password security was very questionable," Snow posted on Twitter/X. "I was just looking into public leaks of bot data and came across the ripe account with the password "ripeadmin" and no 2FA, No SE at all."

Suggested Corrections:
Information-stealing malware is commonly used by threat actors to steal credentials to post for sale on cybercriminal marketplaces, where they can be purchased for data theft, cyber espionage, and ransomware attacks. Usernames and passwords are becoming increasingly less effective in stopping cyber attacks, due to the plethora of ways these credentials can be stolen, multi-factor authentication has become an essential part of access control and should be enabled wherever possible.