Looted RIPE Credentials for Sale on the Dark Web

Hundreds of network operator credentials stolen via compromised RIPE accounts were recently discovered on the Dark Web.

RIPE, the database for IP addresses and their owners for every country in the Middle East as well as some in Europe and Africa, has been a popular target of late as attackers have compromised account logins in order to gather information, researchers from Resecurity said in a blog post.

"Bad actors use the acquired compromised credentials to RIPE and other portals for the probing of other applications and services to which the victim may have privileged access. Based on our assessment, such tactics increase their chances on successful network intrusion into target enterprises and telecom operators," says Shawn Loveland, COO at Resecurity, which found the leaked credentials.

Earlier this month, Orange Spain suffered an Internet outage after a hacker breached the company's RIPE account to misconfigure BGP routing and an RPKI configuration.

In a statement, RIPE said it was investigating the compromise of a RIPE Network Coordination Center Access account that "temporarily" affected "some services" for that account.

Network Engineers a "RIPE" Target

Resecurity conducted an extensive monitoring exercise in Q1 2024 and identified 716 compromised RIPE NCC customers with leaked credentials on the Dark Web. These organizations included a scientific research organization from Iran; an ICT technology provider based in Saudi Arabia; a government agency from Iraq; and a not-for-profit Internet Exchange in Bahrain.

In total, Resecurity uncovered 1,572 customer accounts across RIPE and other regional networks including APNIC, AFRINIC, and LACNIC, who were compromised due to malware activity involving well-known password stealers like Redline, Vidar, Lumma, Azorult, and Taurus. 

Gene Yoo, CEO of Resecurity, explains that attackers not only stole RIPE accounts but also lifted other privileged user credentials. Once they dropped malware onto the victim's computer, the attackers were able to exfiltrate other passwords and forms as well.

"That's why what we purchased includes credentials not limited to RIPE only (and other organizations selling IPs), but [also] credentials to other services" he says.

The infostealers targeted network engineers, ISP/telecom engineers, data centre technicians, and outsourcing companies in particular.

"As the largest registry, it makes sense that RIPE would have the largest victim pool. Therefore, it's difficult to say whether this registry has been targeted more deliberately than its global peers," said Resecurity in its blog.

Critical Legacy System

Elliott Wilkes, CTO at Advanced Cyber Defence Systems, notes that credential theft is a rampant issue in the Middle East, and globally.

"Organizations that use contractors and remote staff to complete engineering tasks absolutely must deploy tools to protect their privileged access," he says. "In these companies, engineers often will have elevated or admin access to critical legacy systems."

Wilkes suggests that effective privileged access management tools should use just-in-time (JIT) access to deploy time-bound credentials, which narrows the window of time within which stolen credentials can be exploited.

Paul Lewis, CISO at Nominet, the UK's official registry for domain names, cautions that RIPE customers must take responsibility for their corporate security.

"What's interesting is how this incident leveraged the centralization of services, such as the RIPE NCC portal. While we can centralize critical services such as BGP or RPKI and outsource them, it doesn't mean that an organization can outsource the risk entirely. They need to acknowledge that and implement the correct controls," he said.

Lewis added: "Privileged users need to be aware of the security risks that could be present in key outsourcing situations and use proper due diligence when using these services. Strong authentication is a must-have in this type of situation."

Take the Orange España case. "Ultimately, it all comes back to the basics. Orange España seemed to use extremely basic passwords and it would also seem [that it] didn't enable multi-factor authentication and [was] lacking in foundational security hygiene," Lewis says.

Leaks and Cyberattacks

According to IDC META (Middle East, Turkey and Africa), there has been a recent surge in malware-borne cyberattacks in the Middle East. More than 65% of CISOs in META reported an increase in malware, as reported in IDC's 2024 security survey, citing phishing attacks, credential leaks, and social engineering.

"These types of attacks, arising from credential leaks, are becoming very common in the Middle East," says Shilpi Handa, associate research director at IDC Middle East.

She says credential leaks provide attackers with login details that can be used for credential stuffing, privilege escalation, and authentication bypass. Stolen credentials, especially from privileged users, enable lateral movement within networks and pose significant security risks.

Dark Reading has contacted RIPE for further comment.