How 50% of telco Orange Spain’s traffic got hijacked — a weak password

How 50% of telco Orange Spain’s traffic got hijacked — a weak password

So here’s a funny story.

Earlier today, I noticed Orange Spain had an outage, caused by what appeared to be a BGP hijack:

https://medium.com/media/86149308c6838a9cbb08d6b650510bf2/href

This manifested to Orange Spain users as service unavailability, at scale. According to Cloudflare Radar, they saw a near 50% drop in traffic from Orange Spain customers:

So, how did it happen?

The threat actor accessed Orange’s RIPE account. RIPE look after internet IP addresses, basically the phone book of the internet. From their RIPE details, they were able to announce config which broke BGP routing — think the routing between networks which tell the network where to route the calls.

To administrator RIPE, you use a website called access.ripe.net. The threat actor posted themselves logged in to account adminripe-ipnt@orange.es:

The threat actor actually posted this screenshot themselves on social media to Orange, earlier today, while goading them.

You may notice two step authentication is disabled — RIPE don’t require it, and it isn’t enabled by default for new accounts either. Also, there is no sane password policy at RIPE — you can use borisjohnson as your password, in other words it is a powder keg.

The account in question has been on an info stealer since August last year, with the details resold onwards.

Source: Alon Gal of Hudson Rock

Great password, btw.

Currently, infostealer marketplaces are selling thousands of credentials to access.ripe.net — effectively allowing you to repeat this at organisations and ISPs across Europe.

To Orange Spain’s credit

They got on top of it, reverted the changes and got customers back online. They were also super transparent — after my Mastodon thread, they posted:

I don’t think this issue is unique to Orange. Well, I don’t think that — I know it isn’t, as credentials are alre

[…]
Content was cut in order to protect the source.Please visit the source for the rest of the article.

This article has been indexed from DoublePulsar – Medium

Read the original article: