A weak password exposed by infostealer malware is being blamed after a massive outage at Orange Spain disrupted around half of its network's traffic.
The network provider is Spain's second most popular and on Wednesday evening confirmed its RIPE account had been breached by an attacker.
RIPE is the regional database that contains all IP addresses and their owners in Europe, the Middle East, and Central Asia.
Researchers used the information in the shared images to determine that the RIPE account had been accessed after the attacker harvested admin credentials using infostealer malware.
The malware had infected the account of an Orange Spain employee.
Infosec specialist Kevin Beaumont also noted that RIPE does not mandate 2FA or MFA use, and it wasn't enabled at Orange Spain, whereas North America's equivalent database, ARIN, has mandated it since February 2023.
Following the RIPE account breach, Snow then appears to have hijacked the network provider's border gateway protocol traffic, which led to the service outage experienced by customers.
The attacker modified the autonomous system number associated with Orange Spain's IP address and changed the route origin authorizations - cryptographically signed objects that help to securely verify that announced BGP routes are associated with the correct origin - in turn breaking the network's BGP routing.
Orange Spain confirmed its RIPE account was breached via its X account, adding that service was restored shortly after acknowledging the outage.
There is no evidence to suggest any customer or client data was compromised during the incident, and the disruption was to its services only, Orange added.
Beaumont said he's seen credentials to thousands of different RIPE accounts on infostealer marketplaces, and expects a wave of similar attacks to take place now the incident at Orange Spain has been publicized.
This Cyber News was published on go.theregister.com. Publication date: Thu, 04 Jan 2024 13:43:05 +0000