A major internet service disruption at Spanish telecommunications company Orange España was caused by a cyberattack that may not have occurred if the operator had used a stronger password.
On Wednesday, January 3rd, Orange users started complaining about having internet connection problems. The company confirmed a national outage on X, saying it had detected a widespread incident, which, “fortunately, has been detected very quickly, thanks in large part to all your comments and warnings.” The incident lasted for a few hours.
“The Orange account in the IP network coordination center (RIPE) has suffered improper access that has affected the browsing of some of our customers,” the company said.
However, the details of the cyberattack grabbed cybersecurity researchers' attention, who could not overlook the fact that weak password practices might have had a role.
A hacker on X with a newly created account named “Ms_Snow_OwO” posted screenshots, revealing how they hacked Orange’s RIPE NCC (Network Coordination Center) account using the password “ripeadmin.”
"I've fixed the security of your RIPE administrator account. Send me a message to get the new credentials," they said. “I was just looking into public leaks of bot data and came across the ripe account with the password “ripeadmin” and no 2FA, no SE (social engineering) at all.”
The hacker even shared a video detailing how he was able to access and compromise the network.
The unauthorized access to RIPE, which manages regional IP addresses in Europe, had the potential to compromise Orange’s entire network. However, for some reason, the hackers only blocked certain domain name systems, which kept the effects limited, El Pais reported. It’s unclear how Orange regained access to its systems.
Security researchers: “ridiculously weak” password to blame
Hudson Rock researchers investigated the email address that was used to access RIPE and identified that it is associated with the computer of an Orange Spain employee who was infected by an Infostealer earlier last year.
“Using the stolen account, the threat actor modified the AS number belonging to Orange’s IP address, resulting in major disruptions to Orange and a 50% loss in traffic,” researchers at Hudson Rock write.
The Orange employee had their computer infected by a Raccoon-type Infostealer on September 4th, 2023. Among the corporate credentials identified on the machine, the employee had specific credentials to “https://access.ripe.net” using the email address that was revealed by the threat actor ([email protected]), researchers noted.
“The password that was used on Orange’s RIPE administrator account was “ripeadmin” which is ridiculously weak,” the report reads. “This attack again illustrates how a single infostealer infection could be detrimental to any company. It is important to routinely check your organizational exposure to Infostealer infections, which are the top initial attack vector for threat actors to access corporate and customer accounts.”
Kevin Beaumont, author at Double Pulsar, noted that the two-step authentication was disabled, as RIPE doesn’t require it by default.
“Also, there is no sane password policy at RIPE – you can use borisjohnson as your password. In other words, it’s a powder keg,” Beaumont said.
Doug Madory, director of Internet Analysis at security firm Kentik, in his analysis, explains that the attacker, after gaining access to the RIPE account, began tinkering with publishing and revoking ROAs (Route Origin Authorization) for IP ranges belonging to the Spanish mobile operator. Fourteen minutes later, attackers published three new ROAs with material impact. Later, they took further steps by creating ROAs with origins other than that of Orange until the traffic started to take a nose dive at about 3:20 pm local.
Before 7 pm local, engineers from Spain’s second-largest mobile operator regained control of their RIPC NCC account and began publishing new ROAs that would enable the carrier to restore service.
“Although the outage is over, there is still a lot of clean-up work to be done,” Madory said and noted that thousands of routes that were still invalid.
More from Cybernews:
Subscribe to our newsletter