Orange Spain suffered an internet outage today after a hacker breached the company’s RIPE account to misconfigure BGP routing and an RPKI configuration.
The routing of traffic on the internet is handled by Border Gateway Protocol (BGP), which allows organizations to associate their IP addresses with autonomous system (AS) numbers and advertise them to other routers they are connected to, known as their peers.
These BGP advertisements create a routing table that propagates to all other edge routers on the internet, allowing networks to know the best route to send traffic to a particular IP address.
However, when a rogue network announces IP ranges usually associated with another AS number, it is possible to hijack those IP ranges to redirect traffic to malicious websites or networks.
According to Cloudflare, this is possible because BGP is built on trust and the routing table will be updated based on which advertiser has the shortest and more specific route.
To prevent this, a new standard called Resource Public Key Infrastructure (RPKI) was created that acts as a cryptographic solution to BGP hijacking.
“Resource Public Key Infrastructure (RPKI) is a cryptographic method of signing records that associate a BGP route announcement with the correct originating AS number,” explains a Cloudflare article on RPKI.
By enabling RPKI with a routing body such as ARIN or RIPE, a network can cryptographically certify that only routers under their control can advertise an AS number and their associated IP addresses.
Hacker breaches RIPE account to break BGP
Yesterday, a threat actor named ‘Snow’ breached the RIPE account of Orange Spain and tweeted to Orange Spain to contact them about getting new credentials.
Since then, the attacker modified the AS number associated with the company’s IP addresses, and enabled an invalid RPKI configuration on them.
Announcing the IP addresses on someone else’s AS number and then enabling RPKI effectively caused these IP addresses to no longer be announced properly on the internet.
“As we see, what they did was create some ROA /12 records, which basically indicate who is the AUTHORITY over a prefix (i.e., the AS that can announce it),” Felipe Cañizares, CTO from DMNTR Network Solutions, told BleepingComputer.
“These grouped together the /22 and /24 prefixes announced by Orange Spain, indicating that the AS that should announce that prefix was AS49581 (Ferdinand Zink trading as Tube-Hosting).”
“Once this was done, they activated RPKI on that /12… and goodbye…”
This led to a performance issue on Orange Spain’s network between 14:45 and 16:15 UTC, which can be seen in the Cloudflare traffic graph below for AS12479.
Orange Spain has since confirmed that their RIPE account was hacked and has begun to restore services.
“NOTE: The Orange account in the IP network coordination center (RIPE) has suffered improper access that has affected the browsing of some of our customers. Service is practically restored,” Orange Spain tweeted.
“We confirm that in no case is the data of our clients compromised, it has only affected the navigation of some services.”
While it is unclear how the threat actor breached their RIPE account, Cañizares told BleepingComputer that he believes Orange Spain did not enable two-factor authentication on the account.
Cañizares has created a thread on X summarizing how this attack took place.
BleepingComputer contacted Orange Spain with questions about the attack but has not received a reply at this time.