For those like myself that are somewhat unfamiliar with what RIPE is:
RIPE is the European equivalent of ARIN (the North American regional authority of ISP addressing matters). They are sort of like the postal/zoning agents of the internet in that they oversee the distribution and management of IP address blocks. ISPs like Orange Spain have a RIPE account that they use manage their IP allocations, which is what was compromised.
Allegedly, Orange Spain's RIPE password was "ripeadmin", with no 2FA: https://twitter.com/Ms_Snow_OwO/status/1742666456058470739
Maliciously changing a RIPE allocation would be like going into a pub and moving Geoff’s drink to one side so you and your mate can take his and Frank’s spot at the bar. While you may physically succeed at this, you will also find you don’t get served and you do get thrown out and barred.
I’ve always liked the professional level of collusion that makes the Internet work. One day it will all go wrong and we’ll have to set up something democratic, but until then the technocracy works well.
This is one of several attacks that can be used to generate valid TLS certificates for domains you don't own. There are mitigations but they can all be defeated. This will persist until there is reform among internet standards groups, but they are controlled by the browser market, and they aren't responsible for generating the certs, so it's one of those "nobody is responsible so it will never be fixed" deals.
The title was confusing at first, with "was breaking into" I thought the attacker didn't succeed, but they did. Can the title be changed to something like "Someone hacked Orange Spain's RIPE account and broke their /12"?
We were affected by the downtime, suddenly our VPNs went down and we started troubleshooting if it was a switch sudden reboot, a physical problem, anything. Odd for some of our VPNs to randomly shut down rejecting all traffic but just at the endpoint. Then we started having some very specific problems with just some FTP addresses and couldn't figure out what was happening.
Until our CIO went to the bathroom and came back saying "Hey, these websites aren't working from our WIFI network but they're working fine from mobile data? Could it be a navigation problem from Orange?"
Then we realized it.
What evil could one do with this?
I was affected by that attack. After lunch here in Barcelona several sites started to time out on Firefox: GitHub, Twitter, Hacker News, Canva, DuckDuckGo. While others like Reddit, Google, YouTube kept working.
Found via Twitter that others had already tried changing DNS servers, and then did a tracepath and found that I couldn't reach the resolved IP's. Thought it would have been a misconfiguration of Orange. Then on Twitter (accessed via Orange mobile, which funnily worked fine -- probably a different network?) I found a thread of the people in Spain complaining about it, where someone later replied with links to the RIPE account take-over tweet.
Took about 2-4 hours for the service to be fixed. Haven't fixed any other issues so far. One of the articles pointed that it could have been due to someone that was not using 2FA, but there were no sources in that article.
EDIT: the article mentioned above https://bandaancha.eu/articulos/secuestran-cuenta-ripe-orang...