Hundreds of network operators’ credentials found circulating in Dark Web

After the recent incident involving Orange España and the leakage of credentials from the RIPE NCC portal, which led to a major outage, the cybersecurity community needs to reconsider the digital identity protection for staff engaged in network engineering and IT infrastructure management. Undoubtedly, this group of targets is highly sought after by malicious actors due to their privileged access within the enterprise ecosystem.

Resecurity conducted extensive monitoring of the Dark Web, uncovering over 1,572 customers of RIPE, APNIC, AFRINIC, and LACNIC who were compromised due to malware activity involving well-known password stealers like Redline, Vidar, Lumma, Azorult, and Taurus. These compromised accounts were discovered to be up for sale on underground marketplaces. This figure also includes historical records and artifacts identified in January 2024, following an analysis of Command and Control (C2) servers. The gathered data was promptly shared with telecommunication organizations and the affected parties for further risk mitigation.

Cybersecurity experts outlined the risks originating from Dark Web actors leveraging compromised credentials belonging to ISP/Telcom engineers, Data-Center Technicians, Network Engineers, IT Infrastructure Managers and Outsourcing companies (managing networks for their enterprise clients).

Remarkably, in certain instances, credentials were being offered on underground markets for as little as $10. A prominent risk involves initial access brokers collaborating with ransomware groups or sophisticated cybercriminals. They could purchase credentials belonging to a compromised network engineer from an Indonesian ISP and later utilize them to orchestrate a larger attack like the Orange España incident. Additionally, some independent actors were found selling RIPE credentials at a higher price, including cookies, proxy access, or remote access through malicious code planted on the victim’s system. Once such access is obtained, depending on the user’s privileges, the malicious actor could employ tactics similar to those seen in the Orange España scenario.

As an example of compromised RIPE accounts, Resecurity outlined compromised access credentials belonging to a major data center and one of the largest vendors providing international-scale network telephony connectivity to governmental and national telecom providers in Africa. Other identified victims were associated with significant organizations, including:

• Scientific research organization from Iran;
• Major financial organization from Kenya;
• One of the largest IT consulting firms in Azerbaijan, known for offering services like telecommunications, integrated network, and cloud solutions to enterprises and government entities;
• A major financial organization in Spain;
• One of the largest gambling providers in EU;
• ICT technology provider based in Saudi Arabia;
• An Israeli communications satellite operator;
• A government agency from Iraq;
• A not-for-profit Internet Exchange (IXP), established in Riffa, located in the Southern Governorate of Bahrain.

The actions of bad actors extend beyond simple credential theft. With access to network settings, they may alter existing configurations or introduce deceptive elements, potentially creating havoc on enterprise infrastructure. Such unauthorized modifications could lead to severe disruptions in service and security breaches, underscoring the critical need for heightened vigilance and robust security protocols in safeguarding digital assets.

Notably, some of the records identified in the acquired data sets have been previously involved in major cybersecurity incidents. For example, Gaza-based ISP AlfaNet was significantly impacted by outages on the peak of Israel-Gaza conflict in October. At that time, attackers employed multiple tactics, including DDoS attacks, but scenarios resembling the Orange España incident were considered plausible. Other victims encompassed Fortune 500 companies, prominent universities, wireless/mobile operators, and regional ISPs

Significantly, most of the network administrators (identified as compromised) managing networks utilized emails registered with free providers, including Gmail, GMX, and Yahoo. These details could be highly valuable to cyberespionage groups that are laser-focused on specific targets, such as network administrators and their circle of contacts. Acquiring information about their personal emails could lead to more sophisticated campaigns and enhance the likelihood of successful reconnaissance.

Resecurity has notified the victims who’s credentials to RIPE, APNIC, AFRINIC and LACNIC customer portals were compromised by password stealers and exposed on the Dark Web. Based on the collected feedback, cybersecurity experts built the following statistics:

• 45% were not aware about the identified compromised credentials and acknowledged successful password change and enabled 2FA;
• 16% were already aware about the identified compromised credentials as a result of infection by malicious code and made necessary password change and enabled 2FA on their accounts;
• 14% were aware about the compromised credentials, but enabled 2FA only after notification (written statement received);
• 20% acknowledged the need to perform deeper investigation of the incident leading to credentials compromise; for example, some of the recipients acknowledged 2FA enabled, but had a lack of knowledge around how and when exactly the compromise had happened, and what credentials (to other apps and systems) could be exfiltrated by password stealer from the victim;
• 5% of recipients were not able to provide any feedback and/or aim to identify relevant points of contact in their organization to review this issue.

The collected statistics may confirm how the staff involved in network engineering and mission critical IT management operations may be victim to malicious code. Their accounts (when compromised) may act as “low-hanging fruit” for massive cyberattacks in perspective, but also a great targeting criteria for sophisticated bad actors.

For instance, several victims, particularly network engineers identified in the datasets acquired from the Dark Web, also had their credentials to enterprise identity and access management (IAM), virtualization systems, various cloud providers, and backup and disaster recovery solutions compromised. Resecurity emphasized the critical importance of a robust digital identity protection program for telecommunications operators to safeguard their infrastructure and customers.