The hacker changed the routing of Internet traffic in Europe.
As a result of a hacker attack on the Spanish telecommunications operator Orange Spain, an Internet connection failed. The attack was carried out by hacking the company's RIPE (Réseaux IP Européens Network Coordination Centre) account, which resulted in a violation of the BGP (Border Gateway Protocol) and RPKI (Resource Public Key Infrastructure) configuration.
BGP is responsible for routing traffic on the Internet, allowing organizations to associate their IP addresses with autonomous systems (AS) and announce them to other routers. However, the protocol is based on trust, and when declaring IP ranges that are usually associated with a different AS number, it is possible to redirect traffic to malicious sites or networks.
To prevent such attacks, the RPKI standard was created, which acts as a cryptographic solution against BGP hijacking. With RPKI, the network can cryptographically verify that only routers under its control can announce the AS number and associated IP addresses.
A hacker known as "Snow" hacked Orange Spain's RIPE account and changed the AS number associated with the company's IP addresses, as well as enabling an invalid RPKI configuration. The attack caused IP addresses to no longer be properly advertised on the Internet, causing disruptions to the Orange Spain network from 14:45 to 16:15 UTC.
Orange Spain confirmed that its RIPE account was hacked and started restoring services. The company assured that customer data was not compromised, and the failure affected only navigation on some services.
Although Orange Spain did not disclose how its RIPE account was hacked, it is assumed that the RIPE account was hacked due to a lack of two-factor authentication. The Racoon Stealer infostealer is indicated as a possible source of data leakage. According to the information security company Hudson Rock, the email and password from the RIPE account were found in the list of accounts stolen by such malware.
On September 4, 2023, an Orange employee's computer was infected with Racoon Stealer, and among the corporate credentials identified on the computer, the employee had specific credentials for "https://access.ripe.net" - email address (adminripe-ipnt@orange[.]es) and a password (ripeadmin), which is very simple and unreliable for an important account.
The incident highlights the importance of using two-factor or multi-factor authentication for all accounts, so that even if credentials are stolen, attackers cannot gain access to the account.
As a result of a hacker attack on the Spanish telecommunications operator Orange Spain, an Internet connection failed. The attack was carried out by hacking the company's RIPE (Réseaux IP Européens Network Coordination Centre) account, which resulted in a violation of the BGP (Border Gateway Protocol) and RPKI (Resource Public Key Infrastructure) configuration.
BGP is responsible for routing traffic on the Internet, allowing organizations to associate their IP addresses with autonomous systems (AS) and announce them to other routers. However, the protocol is based on trust, and when declaring IP ranges that are usually associated with a different AS number, it is possible to redirect traffic to malicious sites or networks.
To prevent such attacks, the RPKI standard was created, which acts as a cryptographic solution against BGP hijacking. With RPKI, the network can cryptographically verify that only routers under its control can announce the AS number and associated IP addresses.
A hacker known as "Snow" hacked Orange Spain's RIPE account and changed the AS number associated with the company's IP addresses, as well as enabling an invalid RPKI configuration. The attack caused IP addresses to no longer be properly advertised on the Internet, causing disruptions to the Orange Spain network from 14:45 to 16:15 UTC.
Orange Spain confirmed that its RIPE account was hacked and started restoring services. The company assured that customer data was not compromised, and the failure affected only navigation on some services.
Although Orange Spain did not disclose how its RIPE account was hacked, it is assumed that the RIPE account was hacked due to a lack of two-factor authentication. The Racoon Stealer infostealer is indicated as a possible source of data leakage. According to the information security company Hudson Rock, the email and password from the RIPE account were found in the list of accounts stolen by such malware.
On September 4, 2023, an Orange employee's computer was infected with Racoon Stealer, and among the corporate credentials identified on the computer, the employee had specific credentials for "https://access.ripe.net" - email address (adminripe-ipnt@orange[.]es) and a password (ripeadmin), which is very simple and unreliable for an important account.
The incident highlights the importance of using two-factor or multi-factor authentication for all accounts, so that even if credentials are stolen, attackers cannot gain access to the account.
