RIPE NCC, the organization that manages and assigns IPv4 and IPv6 addresses for Europe, the Middle East, and the former Soviet space, has disclosed today a failed cyber-attack against its infrastructure.
“Last weekend, RIPE NCC Access, our single sign-on (SSO) service was affected by what appears to be a deliberate ‘credential-stuffing’ attack, which caused some downtime,” the organization said in a message posted on its website earlier today.
The agency said it mitigated the attack and found that no account was compromised but that an investigation is still underway.
“If we do find that an account has been affected in the course of our investigations, we will contact the account holder individually to inform them.”
Founded in 1992, RIPE NCC currently oversees the allocation of Internet number resources (IPv4 addresses, IPv6 addresses, and autonomous system numbers) to data centers, web hosting companies, telcos, and internet service providers in the EMEA region.
A compromise of any RIPE NCC account would spell big problems for both RIPE and the account holders as it would allow intruders to re-assign, even if temporarily, internet resources to third-parties.
IPv4 addresses are currently in very high demand all over the world, and a flourishing black market has formed over the past decade. This market is fueled by hijacked IPv4 address blocks, and its most frequent customers are malware gangs which use it to rent access to hijacked IPv4 address spaces so they can send spam and skirt spam blocklists.
One of the most notorious IPv4 address space hijacks was discovered in 2019 when more than 4.1 million IPv4 addresses were transferred from South African companies to new owners, according to an AFRINIC investigation.
RIPE NCC officially ran out of IPv4 addresses in November 2019, which explains why threat actors are now gunning for member accounts in the hopes of hijacking existing address pools.
RIPE is now asking all its members, estimated at around 20,000 orgs, to enable two-factor authentication for their Access accounts to prevent intruders from gaining access to these resources through simple brute-force-like attacks.