How 50 of telco Orange Spainâs traffic got hijackedHHHHHHnull routed â a weak password by Kevin Beaumont Jan 2024 DoublePulsar
pSign upppSign inppSign upppSign inppKevin BeaumontppFollowppDoublePulsarppppListenppShareppSo hereâs a funny storyppEarlier today I noticed Orange Spain had an outage caused by what appeared to be a BGP hijackppThis manifested to Orange Spain users as service unavailability at scale According to Cloudflare Radar they saw a near 50 drop in traffic from Orange Spain customersppThe threat actor accessed Orangeâs RIPE account RIPE look after internet IP addresses basically the phone book of the internet From their RIPE details they were able to announce config which broke BGP routing â think the routing between networks which tell the network where to route the callsppTo administrator RIPE you use a website called accessripenet The threat actor posted themselves logged in to account adminripeipntorangeesppThe threat actor actually posted this screenshot themselves on social media to Orange earlier today while goading themppYou may notice two step authentication is disabled â RIPE donât require it and it isnât enabled by default for new accounts either Also there is no sane password policy at RIPE â you can use borisjohnson as your password in other words it is a powder kegppThe account in question has been on an info stealer since August last year with the details resold onwardsppGreat password btwppCurrently infostealer marketplaces are selling thousands of credentials to accessripenet â effectively allowing you to repeat this at organisations and ISPs across EuropeppThey got on top of it reverted the changes and got customers back online They were also super transparent â after my Mastodon thread they postedppI donât think this issue is unique to Orange Well I donât think that â I know it isnât as credentials are already everywhereppgppFollow me on Mastodon for more insanity as it happens Or donât I donât careppcyberplacesocialppUpdate 4th January 2023 RIPE are investigatingppwwwripenetppUpdate RIPE email statement âWe are currently investigating how we can change our roadmaps to make twostep verification mandatory for all RIPE NCC Access accounts as soon as possible and in the longer term offer a wider variety of verification mechanismsâppUpdate 9th January 2023 Amended title to null routed due to feedback from Doug Madory I wanted BGP Hilarityâd myselfppppppDoublePulsarppEverything here is my personal work and opinionsppHelpppStatusppAboutppCareersppBlogppPrivacyppTermsppText to speechppTeamsp