While it appears like Lenovo has had another slap to the face, this time it isn’t their fault (well, sort of). Yesterday, its website, Lenovo.com, was maliciously redirected to a defaced site controlled by the well-known hacker group, Lizard Squad. Prior to this, Google’s Vietnamese site suffered a similar attack where users were redirected away from google.com.vn. The DNS records for both were temporarily changed so that any users navigating to these sites would be pointed at new pages jokingly referencing, among others, Brian Krebs, Ryan King, and Rory Andrew Godfrey alongside what appears to be webcam images of an individual.
It’s been a bad week for Lenovo. Lenovo’s very poor choice of bloatware in the form of Superfish was discovered to have a very simple to exploit for disabling the security of SSL communications. This SSL communication allows for browsers to verify that the user navigates to the REAL Bank of America. The SSL hijacking enabled by Lenovo’s snafu allowed would-be attackers to appear to users as the authentic, trusted version of websites such as Bank of America.
The public may be quick to blame this on Lenovo and Google for losing control of their respective websites. In fact, this issue was not a fault of theirs but arose due to a weakness within the registrar who was tasked with securely and properly routing users to the site. It appears that the registrar in question, Webnic.cc, was compromised directly by Lizard Squad and used to lead users towards fake versions of Lenovo’s and Google’s sites.
Two of the individuals called out by the hacked sites, Ryan King and Rory Andrew Godfrey, are actually accused of being members of Lizard Squad by the media — despite other claims to the contrary. However, both have ties from a previous hacking group to a known, current member of Lizard Squad. Brian Krebs, a well-known reporter on security topics who was also called out on the hacked Lenovo.com website, reached out to King and Godfrey for comment.
According to Krebs, both claim that the attackers used HTML command injection to land a malicious rootkit on Webnic.cc’s machines. This gave them direct control over the DNS records for where both sites would point users. King and Godrey also claim that Lizard Squad was able to snag Webnic’s “auth codes” which allow someone to transfer domains, such as lenovo.com, to different registrars.
While this attack was outside of the control of either Lenovo or Google, using Webnic may have been a poor choice by both companies. Webnic’s popularity among hacker forums and underground bazaars may make some dubious of the registrar’s practices. However, as Krebs reports, it’s probably not a coincidence that over the past several years, many of these sites have also been hacked. Perhaps both Lenovo and Google should explore less suspect registrars in the area.