Administrator Account for Middle East Internet Registry Hacked

The Regional Internet Registry for Europe, the Middle East, and Central Asia is investigating the compromise of an administrator account that has disrupted network traffic.

In a statement, the registry, known as RIPE, said it is investigating the compromise of a RIPE Network Coordination Center Access account that "temporarily" affected "some services" for that account.

"Our Information Security team is continuing to investigate whether any other accounts have been affected. Account holders who might be affected will be contacted directly by us," the registry said in its statement.

RIPE is the regional database that contains all IP addresses and their owners for every country in the Middle East, as well as Europe and Asia.

Internet traffic in the United Arab Emirates and other Middle East nations showed a dip in network traffic overnight and at the start of today.

Orange Theory

This week, a threat actor going by the moniker "Ms_Snow_OwO" announced on X that they had gained access to a RIPE administrator account belonging to telecommunications provider Orange Spain. The attacker also posted the email address they were able to compromise. It was unclear if any other accounts had been hacked.

Orange Spain later announced it had "suffered improper access" that affected some customers, but that service was "practically restored."

Security researchers from Hudson Rock reported that the Orange Spain employee was infected by the Raccoon infostealer malware in September 2023, and their account had access credentials for https://access.ripe.net. The attacker abused the Border Gateway Protocol (BGP) routing configuration for Orange, the researchers noted.

The attacker publicly disclosed the password, claiming that the account did not have two-factor authentication enabled. Ironically, the Regional Internet Registry statement in the wake of the attack recommended that account holders enable multifactor authentication.