In a recent cybersecurity incident, Orange Spain faced a significant internet outage on January 3, 2024. A threat actor, going by the name ‘Snow,’ exploited vulnerabilities in the company’s RIPE account. The Orange Spain outage resulted in the misconfiguration of Border Gateway Protocol (BGP) routing and the implementation of an invalid Resource Public Key Infrastructure (RPKI) configuration.
The internet’s traffic routing relies on Border Gateway Protocol (BGP), allowing organizations to associate their IP addresses with autonomous system (AS) numbers. These associations are then advertised to connected routers, known as peers, forming a routing table. This table guides the optimal route for directing traffic to specific IP addresses.
However, malicious actors can exploit BGP’s trust-based structure. By falsely announcing IP ranges associated with another AS number, they can redirect traffic to malicious destinations. Cloudflare notes that BGP relies on trust, updating the routing table based on the shortest and most specific route provided by advertisers.
To counter BGP hijacking, a cryptographic solution called Resource Public Key Infrastructure (RPKI) was introduced. RPKI associates BGP route announcements with the correct originating AS number. Enabling RPKI with a routing body like ARIN or RIPE allows a network to cryptographically certify that only routers under their control can advertise an AS number and its associated IP addresses.
The Orange Spain service disruption unfolded when the threat actor ‘Snow’ compromised Orange Spain’s RIPE account. After breaching the account, Snow modified the AS number associated with the company’s IP addresses and enabled an invalid RPKI configuration. By creating false Route Origin Authorization (ROA) records, Snow indicated that a different AS number (AS49581) should announce Orange Spain’s IP address prefixes. Activating RPKI on these false records disrupted proper internet announcements. This resulted in noticeable Orange Spain network issues.
Acknowledging the BGP routing incident, Orange Spain took swift action to restore services and confirmed the unauthorized access to its RIPE account. In a tweet, the company assured users that no client data was compromised as a result of the internet service provider outage, emphasizing the impact on service navigation only.
The method through which the threat actor breached the RIPE account remains uncertain. Felipe Cañizares, CTO of DMNTR Network Solutions, speculated that Orange Spain might not have implemented two-factor authentication on the account.
While Orange Spain did not disclose the specifics of the telecom network outage, cybersecurity intelligence revealed that the threat actor cyber attack, Snow, obtained the account credentials through information-stealing malware. Hudson Rock’s research traced the compromise back to an infected computer on September 4th, 2023. The compromised credentials, including the email address ([email protected]) and the password (‘ripeadmin’), were found in a list of accounts stolen by the malware.
Snow later confirmed the ease with which they accessed the account, highlighting the questionable password security. In a post on Twitter/X, Snow mentioned finding the credentials in public leaks of stolen data, emphasizing the absence of two-factor authentication. When asked about their motivation, the hacker claimed to have done it for the “lulz” or laughs.
In response to the Orange Spain outage, RIPE conducted an investigation, restored Orange’s account, and urged users to enable multi-factor authentication. RIPE emphasized the importance of updating passwords and enabling additional security measures, reinforcing the need for a multi-layered defense against cyber threats.
In light of such incidents, it becomes imperative for all accounts, especially those with critical access like RIPE accounts, to have multi-factor authentication enabled. This additional layer of security ensures that even if credentials are compromised, unauthorized access becomes significantly more challenging for threat actors.
The Orange Spain outage highlights the vulnerability of critical internet infrastructure and the importance of proactive cybersecurity measures. Threat actors often exploit stolen credentials to gain initial access to corporate networks, leading to various cyber threats, including data theft, espionage, and ransomware attacks.
Implementing robust cybersecurity in telecommunications, such as RPKI and multi-factor authentication, is crucial in safeguarding against potential threats ensuring the resilience and continuity of online services.
The sources for this piece include articles in The Hacker News and Bleeping Computer.
The post Orange Spain Outage: BGP Traffic Hijacked by Threat Actor appeared first on TuxCare.
*** This is a Security Bloggers Network syndicated blog from TuxCare authored by Wajahat Raja. Read the original post at: https://tuxcare.com/blog/orange-spain-outage/