How 50% of telco Orange Spain’s traffic got hijacked^H^H^H^H^H^Hnull routed — a weak password
So here’s a funny story.
Earlier today, I noticed Orange Spain had an outage, caused by what appeared to be a BGP hijack:
This manifested to Orange Spain users as service unavailability, at scale. According to Cloudflare Radar, they saw a near 50% drop in traffic from Orange Spain customers:
So, how did it happen?
The threat actor accessed Orange’s RIPE account. RIPE look after internet IP addresses, basically the phone book of the internet. From their RIPE details, they were able to announce config which broke BGP routing — think the routing between networks which tell the network where to route the calls.
To administrator RIPE, you use a website called access.ripe.net. The threat actor posted themselves logged in to account adminripe-ipnt@orange.es:
The threat actor actually posted this screenshot themselves on social media to Orange, earlier today, while goading them.
You may notice two step authentication is disabled — RIPE don’t require it, and it isn’t enabled by default for new accounts either. Also, there is no sane password policy at RIPE — you can use borisjohnson as your password, in other words it is a powder keg.
The account in question has been on an info stealer since August last year, with the details resold onwards.
Great password, btw.
Currently, infostealer marketplaces are selling thousands of credentials to access.ripe.net — effectively allowing you to repeat this at organisations and ISPs across Europe.
To Orange Spain’s credit
They got on top of it, reverted the changes and got customers back online. They were also super transparent — after my Mastodon thread, they posted:
I don’t think this issue is unique to Orange. Well, I don’t think that — I know it isn’t, as credentials are already everywhere.
Some lessons
- Ask you network admins to enable Two-step verification in their RIPE account setttings page.
- RIPE need to mandate MFA for all users at all times. ARIN did this in February 2023.
- I expect we may see a wave of downtime of networks now, as the cat is bagless.
- The internet is made of string.
~g
Follow me on Mastodon for more insanity as it happens. Or don’t, I don’t care.
Update 4th January 2023: RIPE are investigating:
Update: RIPE email statement: “We are currently investigating how we can change our roadmaps to make two-step verification mandatory for all RIPE NCC Access accounts as soon as possible and, in the longer term, offer a wider variety of verification mechanisms.”
Update 9th January 2023: Amended title to null routed due to feedback from Doug Madory. I wanted BGP Hilarity’d, myself.
