RIPE NCC discloses failed brute-force attack on its SSO service

RIPE NCC, which manages the IP address space for the EMEA region, is now asking its 20,000 member orgs to enable 2FA for their accounts.

ripe ncc

RIPE NCC, the organization that manages and assigns IPv4 and IPv6 addresses for Europe, the Middle East, and the former Soviet space, has disclosed today a failed cyber-attack against its infrastructure.

ZDNet Recommends

The best password manager

Everyone needs a password manager. It's the only way to maintain unique, hard-to-guess credentials for every secure site you and your team access daily.

Read More

"Last weekend, RIPE NCC Access, our single sign-on (SSO) service was affected by what appears to be a deliberate 'credential-stuffing' attack, which caused some downtime," the organization said in a message posted on its website earlier today.

The agency said it mitigated the attack and found that no account was compromised but that an investigation is still underway.

"If we do find that an account has been affected in the course of our investigations, we will contact the account holder individually to inform them."

Founded in 1992, RIPE NCC currently oversees the allocation of Internet number resources (IPv4 addresses, IPv6 addresses, and autonomous system numbers) to data centers, web hosting companies, telcos, and internet service providers in the EMEA region.

A compromise of any RIPE NCC account would spell big problems for both RIPE and the account holders as it would allow intruders to re-assign, even if temporarily, internet resources to third-parties.

IPv4 addresses are currently in very high demand all over the world, and a flourishing black market has formed over the past decade. This market is fueled by hijacked IPv4 address blocks, and its most frequent customers are malware gangs which use it to rent access to hijacked IPv4 address spaces so they can send spam and skirt spam blocklists.

One of the most notorious IPv4 address space hijacks was discovered in 2019 when more than 4.1 million IPv4 addresses were transferred from South African companies to new owners, according to an AFRINIC investigation.

RIPE NCC officially ran out of IPv4 addresses in November 2019, which explains why threat actors are now gunning for member accounts in the hopes of hijacking existing address pools.

"While we have not seen any evidence of compromised accounts, it is worth noting that even if this was found to have happened, the related Internet number resources would not be at risk," a RIPE NCC spokesperson told ZDNet in an email. "There are additional layers of authentication before these can be transferred to another entity. "

"While people can use their RIPE NCC Access accounts to submit transfer requests, the actual transfers themselves are only processed once we have performed additional due diligence checks. Transfers also require supporting documentation to justify the request, including contracts signed by authorised representatives of the company," the organization added.

RIPE is now asking all its members, estimated at around 20,000 orgs, to enable two-factor authentication for their Access accounts to prevent intruders from gaining access to these resources through simple brute-force-like attacks.

Updated with statement from RIPE NCC.