Hundreds of network operator credentials stolen via compromised RIPE accounts were recently discovered on the Dark Web.
RIPE, the database of IP addresses and their owners for all countries in the Middle East as well as some in Europe and Africa, has been a popular target of late as attackers have compromised account logins to gather information, researchers from Resecurity said in a blog post.
“Bad actors use compromised credentials acquired on RIPE and other portals to probe other applications and services to which the victim may have privileged access. Based on our assessment, such tactics increase the chances of successful network intrusion of target businesses and telecom operators,” says Shawn Loveland, COO of Resecurity, who found the leaked credentials.
Earlier this month, Spain orange suffered an internet outage after a hacker breached the company’s RIPE account by misconfiguring BGP routing and an RPKI configuration.
In a statement, RIPE said it was investigating the compromise of a RIPE Network Coordination Center login account that “temporarily” affected “some services” for that account.
Network engineers are a “MATURE” target.
Resecurity conducted an extensive monitoring exercise in the first quarter of 2024 and identified 716 compromised RIPE NCC customers with credentials leaked on the Dark Web. These organizations included a scientific research organization from Iran; an ICT technology provider based in Saudi Arabia; an Iraqi government agency; and a non-profit Internet exchange in Bahrain.
In total, Resecurity discovered 1,572 customer accounts on RIPE and other regional networks including APNIC, AFRINIC and LACNIC, which had been compromised due to malware activity involving known password thieves such as Red lineVidar, Lumma, Azorult and Toro.
Gene Yoo, CEO of Resecurity, explains that the attackers not only stole RIPE accounts but also stole the credentials of other privileged users. Once the malware was inserted into the victim’s computer, the attackers were able to exfiltrate other passwords and forms as well.
“That’s why what we purchased includes credentials not just limited to RIPE (and other organizations that sell IP), but [also] credentials to other services,” he says.
Infostealers specifically targeted network engineers, ISP/telecom engineers, data center technicians, and outsourcing companies.
“As the largest registry, it stands to reason that RIPE has the largest victim pool. Therefore, it is difficult to say whether this registry was targeted more deliberately than its global peers,” Resecurity said in its blog.
Critical legacy system
Elliott Wilkes, CTO of Advanced Cyber Defense Systems, notes that credential theft is a rampant problem in the Middle East and globally.
“Organizations that use contractors and remote staff to complete engineering tasks absolutely need to implement tools to protect their privileged access,” he says. “In these companies, engineers will often have high or administrative access to critical legacy systems.”
Wilkes suggests that effective privileged access management tools should use just-in-time (JIT) access to distribute time-bound credentials, which narrows the time window within which stolen credentials can be exploited.
Paul Lewis, CISO at Nominet, the UK’s official domain name registry, warns that RIPE customers must take responsibility for their own business security.
“What is interesting is how this incident leveraged the centralization of services, such as the RIPE NCC portal. While we can centralize critical services like BGP or RPKI and outsource them, that doesn’t mean an organization can completely outsource the risk. They must recognize this and implement the correct controls,” he said.
Lewis added: “Privileged users should be aware of the security risks that may be present in key outsourcing situations and use due diligence when using these services. Strong authentication is a must in this type of situation.”
Let’s take the Orange España case. “In the end, it all comes back to basics. Orange España seemed to use extremely simple passwords and it would appear too [that it] has not enabled multi-factor authentication e [was] lacking basic safety hygiene,” says Lewis.
News leaks and cyber attacks
According to IDC META (Middle East, Turkey and Africa), there has been a recent wave of malware-driven cyber attacks in the Middle East. Over 65% of CISOs in META reported an increase in malware, as reported in IDC 2024 Security Surveyciting phishing attacks, credential leaks and social engineering.
“These types of attacks, resulting from credential leaks, are becoming very common in the Middle East,” says Shilpi Handa, associate director of research at IDC Middle East.
According to her, credential leaks provide attackers with login details that can be used for credential stuffing, privilege escalation and authentication bypass. Stolen credentials, especially from privileged users, enable lateral movement within networks and pose significant security risks.
Dark Reading has contacted RIPE for further comment.