Credential-Stuffing Attack Targets Regional Internet Registry

RIPE NCC Internet registry

RIPE NCC, the regional Internet registry for Europe, West Asia, and the former Soviet Union, said attackers attempted a credential-stuffing attack against its single-sign on service.

Regional internet registry RIPE NCC is warning of a credential-stuffing attack against its single sign-on service, RIPE NCC Access, and is encouraging users to implement two-factor authentication (2FA).

Threatpost Webinar February Promo

Click to Register

Located in Amsterdam, the Réseaux IP Européens Network Coordination Centre (RIPE NCC) is the regional internet registry for Europe, Western Asia and the former Soviet Union. RIPE NCC said that the attack, which occurred last weekend, caused “some downtime.” However, it said that preliminary investigations do not yet reveal that any single sign-on (SSO) accounts have been compromised.

“We would like to ask you to enable two-factor authentication on your RIPE NCC Access account if you have not already done so, to ensure that your account is secure,” the RIPE NCC told account holders in a Thursday security notice. “In general, using two-factor authentication across all your accounts can help limit your exposure to such attacks.”

What is RIPE NCC?

A regional internet registry is an organization that manages the registration of internet number resources within various regions worldwide. Such “internet number resources” include IPv4 and IPv6 addresses – which provide the underlying technology making it possible for people to connect their devices to the web — and autonomous system numbers (ASNs), which uniquely identify each network on the internet.

RIPE NCC is one of five regional internet registries providing internet resource allocations and registration services, which together support the internet globally.

RIPE NCC has 20,000 members from more than 75 countries. These members can receive and register internet number resource allocations, and they are then responsible for distributing and registering these resources at a local level.

In the case of the credential-stuffing attack against RIPE NCC, “the data that could be exposed are internet sources such as IP addresses allocated to internet providers, hosting providers and organizations,” Niamh Muldoon, global data protection officer with OneLogin, told Threatpost.

If they were able to access this data, “attackers could then use these details to try and masquerade as one of these providers and/or use the information to build intelligence to identify a vulnerable part of the network to try and exploit,” Muldoon explained.

What is a Credential-Stuffing Attack?

A credential-stuffing attack occurs when a cybercriminal utilizes stolen account credentials and attempts to match them up against a web application or service via large-scale, automated login requests. The aim of this attack is to achieve unauthorized access to accounts.

“Credential-stuffing attacks continue to be the most common opportunistic attack, just because the barrier of entry is low,” Marcus Hartwig, manager of Security Analytics at Vectra, told Threatpost. “Databases of credentials from previous data breaches are widely available, often for free, and have a high success ratio, and preventative measures like multifactor authentication (MFA) are easy to circumvent for determined attackers.”

Credential stuffing has been commonly utilized in recent years, causing targeted companies like The North Face (hit in November) Dunkin Donuts (hit twice, in December 2018 and February 2019) and Spotify (hit twice, in December and in February) to force password resets for impacted users.

RIPE NCC: Enabling Two-Factor Authentication 

RIPE NCC said that the attack has been mitigated. It also said it is now taking steps to ensure its services are “better protected against such threats in the future” – including asking users to enable 2FA, where a one-time code will be required to sign in.

“If we do find that an account has been affected in the course of our investigations, we will contact the account holder individually to inform them,” according to RIPE NCC.

Security experts like Joseph Carson, advisory CISO at Thycotic, said that the the incident points to the importance of password hygiene and 2FA – especially as credential-stuffing attacks continue to increase.

“An important lesson that must be learned from this is that we should never reuse passwords,” Carson told Threatpost.  “Companies who offer authentication and log into their website must also move away from having a password as the only security control. 2FA must be enabled for all customers as this reduces the risks of those who reuse passwords from become a victim of a cybercrime or credential stuffing from being successful.”

Is your small- to medium-sized business an easy mark for attackers?

Threatpost WEBINAR:  Save your spot for 15 Cybersecurity Gaffes SMBs Make,” a  FREE Threatpost webinar on Feb. 24 at 2 p.m. ET. Cybercriminals count on you making these mistakes, but our experts will help you lock down your small- to mid-sized business like it was a Fortune 100. Register NOW for this LIVE webinar on Wed., Feb. 24.

Suggested articles