The compromise of an administrator account led to an almost four-hour outage of the second largest Spanish telecom operator, Orange Espagne, serving 11 million subscribers. To access the RIPE NCC registrar interface in Orange Espagne, the predictable password "ripeadmin" was used and two-factor authentication was not enabled.
The RIPE password was intercepted when an employee's system was infected with malware and has been in compromised password databases sold on the black market since September. It is noteworthy that in addition to the Orange Espagne account, these databases contain thousands of other accounts for connecting to access.ripe.net, which could potentially be used to carry out similar attacks.
The incident remained undetected until January 2, when an attacker entered the RIPE NCC web interface and made changes to the BGP and RPKI (Resource Public Key Infrastructure) settings, after which the routing of approximately half of the operator’s traffic was disrupted for almost four hours communications. The attackers' actions led to the fact that RPKI technology, designed to protect BGP announcements from forgery, was used to block legitimate announcements.
The attacker created several new RPKI ROA (Route Origin Authorization) records, among which were records linking large blocks of Orange Espagne addresses to someone else's autonomous system, which led to the fact that correct BGP announcements from the autonomous system of this operator began to be blocked on the routers of many backbone operators . As a result, the number of BGP routes associated with Orange Espagne was reduced from 9200 to 7400, and the traffic dropped by almost half.
RPKI (Resource Public Key Infrastructure) is used to authorize BGP announcements and allows you to determine whether a BGP announcement comes from the network owner or not. When using RPKI for autonomous systems and IP addresses, a chain of trust is built from IANA to regional registrars (RIRs), and then to service providers (LIRs) and end users, which allows third parties to verify that the operation of the resource was carried out by its owner. Without authorization, any operator can advertise a subnet with fictitious information about the route length and initiate transit through itself of part of the traffic from other systems that do not apply advertisement filtering.
The RIPE password was intercepted when an employee's system was infected with malware and has been in compromised password databases sold on the black market since September. It is noteworthy that in addition to the Orange Espagne account, these databases contain thousands of other accounts for connecting to access.ripe.net, which could potentially be used to carry out similar attacks.
The incident remained undetected until January 2, when an attacker entered the RIPE NCC web interface and made changes to the BGP and RPKI (Resource Public Key Infrastructure) settings, after which the routing of approximately half of the operator’s traffic was disrupted for almost four hours communications. The attackers' actions led to the fact that RPKI technology, designed to protect BGP announcements from forgery, was used to block legitimate announcements.
The attacker created several new RPKI ROA (Route Origin Authorization) records, among which were records linking large blocks of Orange Espagne addresses to someone else's autonomous system, which led to the fact that correct BGP announcements from the autonomous system of this operator began to be blocked on the routers of many backbone operators . As a result, the number of BGP routes associated with Orange Espagne was reduced from 9200 to 7400, and the traffic dropped by almost half.
RPKI (Resource Public Key Infrastructure) is used to authorize BGP announcements and allows you to determine whether a BGP announcement comes from the network owner or not. When using RPKI for autonomous systems and IP addresses, a chain of trust is built from IANA to regional registrars (RIRs), and then to service providers (LIRs) and end users, which allows third parties to verify that the operation of the resource was carried out by its owner. Without authorization, any operator can advertise a subnet with fictitious information about the route length and initiate transit through itself of part of the traffic from other systems that do not apply advertisement filtering.
