In a recent incident (last 3rd January), Orange Spain encountered a significant internet outage due to a cyberattack that targeted the company’s RIPE account. The threat actor, identified as ‘Snow,’ exploited vulnerabilities to misconfigure Border Gateway Protocol (BGP) routing and Resource Public Key Infrastructure (RPKI) settings, illustrating the importance of robust cybersecurity measures.
Understanding BGP and RPKI
The backbone of internet traffic routing is the Border Gateway Protocol (BGP), enabling organizations to associate IP addresses with autonomous system (AS) numbers and communicate with other routers, or peers. However, when a malicious entity manipulates BGP advertisements by associating IP ranges with unauthorized AS numbers, it can redirect traffic to potentially harmful destinations. BGP relies on trust, allowing the shortest and most specific route to dictate the routing table.
To mitigate such risks, the industry introduced Resource Public Key Infrastructure (RPKI), a cryptographic solution that verifies BGP route announcements. RPKI ensures that only authorized routers under a network’s control can advertise AS numbers and their corresponding IP addresses, bolstering security against BGP hijacking.
Hacker Exploits RIPE Account
In this instance, the threat actor ‘Snow’ targeted Orange Spain by breaching its RIPE account. The attacker successfully modified the AS number associated with the company’s IP addresses and implemented an invalid RPKI configuration. By announcing the IP addresses on an unauthorized AS number and enabling faulty RPKI, the hacker disrupted the proper announcement of these IP addresses on the internet, causing a performance issue for Orange Spain’s network of almost 2 hours.
Orange Spain’s Response
Upon discovering the breach, Orange Spain acknowledged the compromise of its RIPE account and promptly took steps to restore services. The company confirmed that customer data remained secure, emphasizing that the incident only affected the navigation of certain services.
The Lack of Two-Factor Authentication
While Orange Spain did not disclose the specifics of the RIPE account breach, it is speculated that the absence of two-factor authentication (2FA) might have contributed to the unauthorized access. The threat actor, ‘Snow,’ hinted at this vulnerability by sharing a screenshot on Twitter, revealing the compromised account’s email address.
The Importance of Two-Factor Authentication
In today’s threat landscape, information-stealing malware poses a significant risk to enterprises. Threat actors often acquire stolen credentials from cybercrime marketplaces to facilitate network breaches, data theft, cyber espionage, and ransomware attacks. To mitigate such risks, all accounts, especially those with sensitive information, should have two-factor or multi-factor authentication (MFA) enabled. This additional layer of security ensures that even if credentials are compromised, attackers cannot gain unauthorized access.
Orange Spain’s recent ordeal serves as a stark reminder of the critical role cybersecurity plays in maintaining the integrity of internet services. As organizations increasingly rely on digital platforms, implementing robust security measures, including 2FA and adherence to protocols like RPKI, becomes imperative. By learning from such incidents, the industry can collectively strengthen its defenses against evolving cyber threats.
Enabling MFA in your organization
Reliable implementation of Multi-Factor Authentication (MFA) becomes seamless with sophisticated Load Balancers and Application Delivery Controllers like RELIANOID. These advanced systems facilitate effortless integration with Active Directory, Radius, LDAP, or a combination of these, thereby establishing a more robust and secure authorization framework. Enabling MFA in your organization is made simple when consulting with experts well-versed in the capabilities of such advanced solutions.
Enjoy the Site Reliability Experience with RELIANOID!
Related Blogs
