The recent discovery of hundreds of network operator credentials being stolen via compromised RIPE accounts has raised concerns about the security of sensitive information in the digital realm. Researchers from Resecurity found that RIPE, the database for IP addresses and their owners for countries in the Middle East, Europe, and Africa, has become a popular target for attackers seeking to gather confidential data.
According to Shawn Loveland, COO at Resecurity, bad actors use these stolen credentials to probe other applications and services to which the victims may have privileged access. This increases their chances of successfully infiltrating the network of enterprises and telecom operators.
In a recent incident, Orange Spain experienced an internet outage after a hacker breached the company’s RIPE account to manipulate BGP routing and an RPKI configuration. RIPE has confirmed that they are investigating the compromise of a RIPE Network Coordination Center Access account that temporarily affected some services.
Resecurity conducted a monitoring exercise in Q1 2024 and identified 716 compromised RIPE NCC customers with leaked credentials on the Dark Web, including organizations from Iran, Saudi Arabia, Iraq, and Bahrain. In total, 1,572 customer accounts across RIPE and other regional networks were compromised due to malware activity involving well-known password stealers.
Gene Yoo, CEO of Resecurity, explained that attackers not only stole RIPE accounts but also lifted other privileged user credentials. The stolen credentials targeted network engineers, ISP/telecom engineers, data center technicians, and outsourcing companies. According to Resecurity, it remains unclear whether RIPE has been targeted more deliberately than its global peers.
Elliott Wilkes, CTO at Advanced Cyber Defence Systems, warned that credential theft is a widespread issue in the Middle East and globally. He stressed the importance of deploying tools to protect privileged access and implementing effective privileged access management tools with time-bound credentials to mitigate the risk of stolen credentials being exploited.
Paul Lewis, CISO at Nominet, emphasized the need for stakeholders to take responsibility for their corporate security. He highlighted the role of centralization of services and the imperative need for organizations to implement the correct controls to protect against potential threats.
In light of these incidents, IDC META reported a recent surge in malware-borne cyberattacks in the Middle East, with more than 65% of CISOs reporting an increase in malware. The increasing incidence of phishing attacks, credential leaks, and social engineering poses a significant security risk for organizations in the region.
This type of attack, arising from credential leaks, is becoming very common in the Middle East. Credential leaks provide attackers with login details that can be used for credential stuffing, privilege escalation, and authentication bypass, enabling lateral movement within networks and posing significant security risks.
As the investigation into the stolen network operator credentials continues, the focus on securing sensitive information and protecting against cyber threats remains paramount. It is crucial for organizations to strengthen their cybersecurity measures and adopt effective privileged access management tools to safeguard against future incidents.