Orange Spain suffered an internet outage today after a hacker breached the company's RIPE account to misconfigure BGP routing and an RPKI configuration.
The routing of traffic on the internet is handled by Border Gateway Protocol, which allows organizations to associate their IP addresses with autonomous system numbers and advertise them to other routers they are connected to, known as their peers.
These BGP advertisements create a routing table that propagates to all other edge routers on the internet, allowing networks to know the best route to send traffic to a particular IP address.
When a rogue network announces IP ranges usually associated with another AS number, it is possible to hijack those IP ranges to redirect traffic to malicious websites or networks.
According to Cloudflare, this is possible because BGP is built on trust and the routing table will be updated based on which advertiser has the shortest and more specific route.
To prevent this, a new standard called Resource Public Key Infrastructure was created that acts as a cryptographic solution to BGP hijacking.
Yesterday, a threat actor named 'Snow' breached the RIPE account of Orange Spain and tweeted to Orange Spain to contact them about getting new credentials.
The attacker modified the AS number associated with the company's IP addresses, and enabled an invalid RPKI configuration on them.
Announcing the IP addresses on someone else's AS number and then enabling RPKI effectively caused these IP addresses to no longer be announced properly on the internet.
This led to a performance issue on Orange Spain's network between 14:45 and 16:15 UTC, which can be seen in the Cloudflare traffic graph below for AS12479.
Orange Spain has since confirmed that their RIPE account was hacked and has begun to restore services.
While it is unclear how the threat actor breached their RIPE account, Cañizares told BleepingComputer that he believes Orange Spain did not enable two-factor authentication on the account.
Cañizares has created a thread on X summarizing how this attack took place.
BleepingComputer contacted Orange Spain with questions about the attack but has not received a reply at this time.
Counter-Strike 2 HTML injection bug exposes players' IP addresses.
WhatsApp now lets users hide their location during calls.
This Cyber News was published on www.bleepingcomputer.com. Publication date: Wed, 03 Jan 2024 19:45:16 +0000