Lenovo is the latest high-profile victim of a DNS hijacking attack. Hackers managed to redirect website visitors to an arbitrary page and they intercepted emails sent to Lenovo staff.
The attack was carried out by the notorious Lizard Squad group, which targeted Google Vietnam in a similar operation earlier this week. The attackers modified DNS records in Google and Lenovo domain registrar accounts in an effort to redirect users to defacement pages. According to OpenDNS, the pages were hosted on servers at Digital Ocean’s Netherlands datacenter.
In both attacks, the hackers replaced the regular nameservers with CloudFlare IP addresses. Experts believe this was done in order to obfuscate the IP address of the destination server and to balance the traffic load to the website. CloudFlare acted quickly to restore services.
While in the case of Google Vietnam the hackers simply redirected visitors to their defacement page, the attack on Lenovo appears to be more serious. The attackers also changed mail server records allowing them to intercept messages sent to Lenovo email addresses. Lizard Squad has published screenshots of two of the intercepted emails on Twitter. The hackers said they might publish other “interesting” emails later.
In the meantime, they published what appears to be an EPP code, the authorization key that is used when transferring a domain name from one registrar to another.
“Unfortunately, Lenovo has been the victim of a cyber attack. One effect of this attack was to redirect traffic from the Lenovo website. We are also actively investigating other aspects. We are responding and have already restored certain functionality to our public facing website,” Lenovo said in an emailed statement.
“We regret any inconvenience that our users may have if they are not able to access parts of our site at this time. We are actively reviewing our network security and will take appropriate steps to bolster our site and to protect the integrity of our users’ information and experience,” the company added. “We are also working proactively with 3rd parties to address this attack and we will provide additional information as it becomes available.”
The attack on Lenovo appears to come in response to reports that the company had pre-installed risky Superfish adware on laptops. The story made headlines after researchers discovered that the Superfish application broke HTTPS browsing and allowed malicious actors to hijack users’ connections.
Lizard Squad hijacked Google Vietnam and Lenovo DNS records after breaching the systems of WebNIC, a Malaysia-based registrar. WebNIC.cc is offline at the time of writing, but Vietnam Internet Network Information Center (VNNIC) representatives told SecurityWeek earlier this week that the registrar has been working with Google to determine the cause of the breach.
“Two defacements in a single week is normally nothing, but two extremely high-profile defacements from the same registrar in the same week is a definite trend. We may see more redirections of domains that were registered with Webnic.cc in the coming days,” Andrew Hay, director of security research at OpenDNS, told SecurityWeek.
OpenDNS believes it will likely be difficult to track down the attackers if they used a free CloudFlare account and stolen payment information to acquire hosting services from Digital Ocean.
The attack targeted at Lenovo shows that malicious actors don’t necessarily need to gain access to an organization’s corporate servers to cause damage. OpenDNS advises website owners to change their passwords frequently and, when possible, enable domain locking to avoid such redirections.
