Orange España Breach: Dark Web Flooded With Operator Credentials
Security researchers have uncovered the presence of hundreds of network operators’ credentials circulating on the dark web in the aftermath of a significant cybersecurity breach targeting Orange España, the second-largest mobile operator in Spain.
The breach, orchestrated by an entity known as “Snow,” involved the hijacking of Orange España’s RIPE Network Coordination Centre (NCC) account, leading to disruptive alterations in border gateway protocol (BGP) and resource public key infrastructure (RPKI) configurations.
The incident, which occurred earlier this month, caused a three-hour service outage, prompting concerns about the vulnerability of telecom carriers and their associated network infrastructures.
Conducting dark web monitoring, Resecurity has now revealed that it has discovered over 1572 compromised customers from RIPE, Asia-Pacific Network Information Centre (APNIC), the African Network Information Centre (AFRINIC) and the Latin America and Caribbean Network Information Center (LACNIC), due to malware activities involving well-known password stealers like Redline, Vidar, Lumma, Azorult and Taurus.
Writing in an advisory published on Monday, the firm highlighted the dangers arising from dark web actors utilizing compromised credentials of ISP/telcom engineers, data-center technicians, network engineers, IT infrastructure managers and outsourcing companies.
The compromised credentials, often priced as low as $10, could be exploited by initial access brokers collaborating with ransomware groups or sophisticated cybercriminals to orchestrate more significant attacks similar to the Orange España incident.
Resecurity provided examples of compromised accounts, including those from a large data center in Africa, a financial organization in Kenya and a large IT consulting firm in Azerbaijan. The consequences of such compromises extend beyond mere credential theft, potentially leading to unauthorized modifications of network settings, causing disruption to services and security breaches.
Notably, most compromised network administrators utilized emails from free providers like Gmail, GMX and Yahoo, providing valuable information to cyber-espionage groups. Resecurity emphasized the critical need for robust digital identity protection programs to safeguard infrastructure and customers, given the potential for malicious actors to exploit compromised accounts for more sophisticated campaigns.
The company said it notified affected victims, and feedback statistics reveal varying levels of awareness and action among compromised individuals.