A “ridiculously weak password” causes disaster for Spain’s No. 2 mobile carrier

Orange España, Spain's number two mobile operator, encountered a significant disruption on Wednesday after an unidentified individual obtained and utilized a "remarkably weak" password to gain entry to an account that manages the international routing table dictating the company's internet traffic delivery networks, according to researchers. The breach started at around 9:28 Coordinated Universal Time (or 2:28 Pacific Time) when the involved party signed into the Orange's RIPE NCC account using the password "ripeadmin".

The RIPE Network Coordination Center serves as one of five Regional Internet Registries, tasked with overseeing and assigning IP addresses to ISPs, telecommunication firms, and entities that maintain their own network architecture. RIPE serves 75 nations in Europe, the Middle East, and Central Asia.

The password was revealed after the intruder, who used the alias Snow, shared an image on social media flaunting the orange.es email address linked to the RIPE account. RIPE responded by stating that they are exploring methods to enhance account security.

A screenshot from Hudson Rock, a security firm, identified the orange.es email address in connection with the RIPE account after it was entered into its database — used to trace credentials available in online markets. Information-stealing malware, active on an Orange computer since September, retrieved the username and the "extremely weak" password, which was then put up for sale on an information thief online marketplace.

According to Kevin Beaumont, a researcher at Hudson Rock, thousands of credentials safeguarding additional RIPE accounts can also be found in such marketplaces. Upon logging into Orange's RIPE account, Snow modified the international routing table that the mobile operator uses to define the primary providers authorized to transmit its traffic worldwide. These tables are supervised using the Border Gateway Protocol (BGP), which connects one regional network with the internet at large.

Snow added several new Route Origin Authorizations (ROAs) into the routing table. These entries allow "autonomous systems," such as Orange's AS12479, to assign other autonomous systems or substantial IP address segments to route its traffic globally. The adjustments initially had no significant impact as the ROAs Snow added already originated from Orange's AS12479.

In a subsequent phase, Snow inserted ROAs for five additional routes. According to Doug Madory, a BGP expert and Network Security Analyst, one of them caused traffic disruption as it announced IP addresses that were part of a previously proclaimed block. He also posited that the initial disruption was likely an experimental attempt by Snow.