CONFERENCE Virtual Event Today: Threat Detection & Incident Response (TDIR) Summit - Join the Event
Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Vulnerabilities

Lizard Squad Hijacks Lenovo Website, Emails

Lenovo is the latest high-profile victim of a DNS hijacking attack. Hackers managed to redirect website visitors to an arbitrary page and they intercepted emails sent to Lenovo staff.

Lenovo is the latest high-profile victim of a DNS hijacking attack. Hackers managed to redirect website visitors to an arbitrary page and they intercepted emails sent to Lenovo staff.

The attack was carried out by the notorious Lizard Squad group, which targeted Google Vietnam in a similar operation earlier this week. The attackers modified DNS records in Google and Lenovo domain registrar accounts in an effort to redirect users to defacement pages. According to OpenDNS, the pages were hosted on servers at Digital Ocean’s Netherlands datacenter.

In both attacks, the hackers replaced the regular nameservers with CloudFlare IP addresses. Experts believe this was done in order to obfuscate the IP address of the destination server and to balance the traffic load to the website. CloudFlare acted quickly to restore services.

While in the case of Google Vietnam the hackers simply redirected visitors to their defacement page, the attack on Lenovo appears to be more serious. The attackers also changed mail server records allowing them to intercept messages sent to Lenovo email addresses. Lizard Squad has published screenshots of two of the intercepted emails on Twitter. The hackers said they might publish other “interesting” emails later.

In the meantime, they published what appears to be an EPP code, the authorization key that is used when transferring a domain name from one registrar to another.

“Unfortunately, Lenovo has been the victim of a cyber attack. One effect of this attack was to redirect traffic from the Lenovo website. We are also actively investigating other aspects. We are responding and have already restored certain functionality to our public facing website,” Lenovo said in an emailed statement.

“We regret any inconvenience that our users may have if they are not able to access parts of our site at this time. We are actively reviewing our network security and will take appropriate steps to bolster our site and to protect the integrity of our users’ information and experience,” the company added. “We are also working proactively with 3rd parties to address this attack and we will provide additional information as it becomes available.”

The attack on Lenovo appears to come in response to reports that the company had pre-installed risky Superfish adware on laptops. The story made headlines after researchers discovered that the Superfish application broke HTTPS browsing and allowed malicious actors to hijack users’ connections.

Advertisement. Scroll to continue reading.

Lizard Squad hijacked Google Vietnam and Lenovo DNS records after breaching the systems of WebNIC, a Malaysia-based registrar. WebNIC.cc is offline at the time of writing, but Vietnam Internet Network Information Center (VNNIC) representatives told SecurityWeek earlier this week that the registrar has been working with Google to determine the cause of the breach.

“Two defacements in a single week is normally nothing, but two extremely high-profile defacements from the same registrar in the same week is a definite trend. We may see more redirections of domains that were registered with Webnic.cc in the coming days,” Andrew Hay, director of security research at OpenDNS, told SecurityWeek.

OpenDNS believes it will likely be difficult to track down the attackers if they used a free CloudFlare account and stolen payment information to acquire hosting services from Digital Ocean.

The attack targeted at Lenovo shows that malicious actors don’t necessarily need to gain access to an organization’s corporate servers to cause damage. OpenDNS advises website owners to change their passwords frequently and, when possible, enable domain locking to avoid such redirections.

Written By

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this event as we dive into threat hunting tools and frameworks, and explore value of threat intelligence data in the defender’s security stack.

Register

Learn how integrating BAS and Automated Penetration Testing empowers security teams to quickly identify and validate threats, enabling prompt response and remediation.

Register

People on the Move

PAM provider Keeper Security has appointed Shane Barney as its Chief Information Security Officer.

SpecterOps has appointed Tim Bender as CFO, Pat Sheridan as CRO, and Bryce Hein as CMO.

CISA has officially announced the appointment of Madhu Gottumukkala as its new deputy director.

More People On The Move

Expert Insights

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest cybersecurity news, threats, and expert insights. Unsubscribe at any time.