First page layout.
Site theme
Orange Spain, Spain’s second-largest mobile operator, suffered a primary outage on Wednesday after an unknown user received a “ridiculously weak” password and used it to access a global routing table control account that controls which networks supply the company’s web traffic, researchers said.
The abduction began at approximately 9:28 a. m. Coordinated Universal Time (approximately 2:28 a. m. ). m. , Pacific Time), when the user logged in to the Orange RIPE NCC account with the password “ripeadmin” (minus quotation marks). The RIPE Network Coordination Center is one of five regional Internet registries, guilty of managing and assigning IP addresses to Internet service providers, telecommunications organizations, and corporations that manage their own network infrastructure. RIPE serves 75 countries in Europe, the Middle East and Central Asia.
The password was revealed after the group, under the nickname Snow, posted a symbol on social media that featured orange. es’s email address associated with the RIPE account. RIPE said it was applying tactics for account security.
Security firm Hudson Rock connected the email address to a database it maintains to track credentials for sale at online bazaars. In a post, the security firm said the “ridiculously weak” username and password had been recovered using information-stealing malware installed on an Orange computer since September. The password was then put up for sale on an information-stealing marketplace.
Researcher Kevin Beaumont said thousands of credentials protecting other RIPE accounts can also be obtained in those markets.
Once connected to Orange’s RIPE account, Snow made adjustments to the global routing table that the cellular operator relies on to specify which major providers can direct their traffic to other parts of the world. These tables are controlled using the Border Gateway protocol. (BGP), which connects a regional network to the rest of the Internet. Specifically, Snow has added several new ROAs, short for Route Origin Authorizations. These entries allow “autonomous systems” like Orange’s AS12479 to designate other autonomous systems or giant shards. of IP addresses to direct your traffic to regions of the world.
In the initial phase, the adjustments had no effect as ROA Snow added by pronouncing that the IP addresses (93. 117. 88. 0/22 and 93. 117. 88. 0/21, and 149. 74. 0. 0/16) were already from the Orange AS12479. A few minutes later, Snow added ROA to five more routes. All of them also came from Orange AS and, once again, had no effect on traffic, according to a detailed report of the event written by Doug Madory, a BGP security and networking expert. Kentik company.
Creating the ROA for 149. 74. 0. 0/16 was Snow’s first act to create problems, as the maximum duration of the prefix was set to 16, invalidating all smaller routes that supported diversity.
“It invalidated any route that was faster (longer prefix) than 16,” Madory told Ars in an online interview. “Then, routes like 149. 74. 100. 0/23 stopped being valid and started leaking. Then [Snow] created more ROA to cover those routes. For what? I’m not sure. I think at first they were just playing. Prior to the creation of this ROA, there was no ROA that could be used to assert anything about this driving range.
Join the Ars Orbital Transmission email to receive weekly updates in your inbox. Sign up →