Mobile network operator Orange Spain suffered an internet outage for several hours on January 3 after a threat actor used administrator credentials captured by means of stealer malware to hijack the border gateway protocol (BGP) traffic.
“The Orange account in the IP network coordination center (RIPE) has suffered improper access that has affected the browsing of some of our customers,” the company said in a message posted on X (formerly Twitter).
However, the company emphasized no personal data was compromised and that the incident only affected some browsing services.
The threat actor, who goes by the name Ms_Snow_OwO on X, claimed to have gained access to Orange Spain’s RIPE account. RIPE is a regional Internet registry (RIR) that oversees the allocation and registration of IP addresses and autonomous system (AS) numbers in Europe, Central Asia, Russia, and West Asia.
“Using the stolen account, the threat actor modified the AS number belonging to Orange’s IP address, resulting in major disruptions to Orange and a 50% loss in traffic,” cybersecurity firm Hudson Rock said.
Further analysis has revealed that the email address of the admin account is associated with the computer of an Orange Spain employee who was infiltrated by Raccoon Stealer malware on September 4, 2023.
It’s currently not known how the stealer found its way to the employee’s system, but such malware families are typically propagated via malvertising or phishing scams.
“Among the corporate credentials identified on the machine, the employee had specific credentials to ‘https://access.ripe.net’ using the email address which was revealed by the threat actor (adminripe-ipnt@orange.es),” the company added.
Even worse, the password used to secure Orange’s RIPE administrator account was “ripeadmin,” which is both weak and easily predictable.
Security researcher Kevin Beaumont further noted that RIPE neither mandates two-factor authentication (2FA) nor enforces a strong password policy for its accounts, making it ripe for abuse.
“Currently, infostealer marketplaces are selling thousands of credentials to access.ripe.net — effectively allowing you to repeat this at organizations and ISPs across Europe,” Beaumont said.
RIPE, which is currently investigating to see if any other accounts have been affected in a similar manner, said it will directly reach out to affected account holders. It has also urged RIPE NCC Access account users to update their passwords and enable multi-factor authentication for their accounts.
“In the long term, we’re expediting the 2FA implementation to make it mandatory for all RIPE NCC Access accounts as soon as possible and to introduce a variety of verification mechanisms,” it added.
The incident serves to highlight the consequences of infostealer infections, necessitating that organizations take steps to secure their networks from known initial attack vectors.