Late last night visitors to Lenovo.com were redirected to another page showing a slideshow of young people with the “Breaking Free” song from the High School Musical playing in the background. Visitors clicking on this slideshow would be directed once more onto Lizard's Squad Twitter account, which had warned to “expect more lizard mischief soon” prior to the attack.
In addition, the website's source code had seemingly been edited to boast about the “new and improved branded Lenovo website featuring Ryan King and Rory Andrew Godfrey”. Both men have been linked with the Lizard Squad in recent months, although security expert Brian Krebs says that, far from being part of the Lizard Squad, these black hats have been working to undermine and expose it.
The Lenovo website itself appears to be untouched by hackers, who seem to have instead compromised – in some shape or form - the website's DNS registrar. The DNS provider was Webnic.cc, the same DNS used by Google Vietnam (google.com.vn) which was also reportedly hacked by Lizard Squad this week.
Lizard Squad hackers redirected traffic onto Cloudflare servers rather than Lenovo's own, with sources saying that this likely because it would potentially mask their IP addresses while offering the scalability to distribute huge traffic.
The root certificate showed Cloudflare as the DNS provider but company evangelist Marc Rogers denied this on Twitter, although he added that the company has since been helping Lenovo to restore access to the site. Worse still, DNS hijack reportedly meant Lizard Squad was able to access Lenovo email before shut off.
Krebs says that King and Godfrey confirmed that Lizard Squad used a command injection vulnerability in Webnic.cc to compromise the system and upload a rootkit. Webnic.cc remained inaccessible for a few hours, but was back online at the time of writing.
Ken Westin, senior security analyst at Tripwire, said in an email to SCMagazineUK.com that the hack added “another black eye to an already suffering brand”.
“As a result of getting their hands caught in the privacy-invading cookie jar with the deployment of the Superfish adware which compromised their customers' privacy and security, they have made themselves open targets for hacking groups who have essentially declared it open season against Lenovo for their questionable practices. Unfortunately, as a result of their actions their brand reputation has taken a significant hit and as a result very few are sympathetic to Lenovo's website compromise, many feeling they brought it on themselves.
“This reflects the larger implications of what happens when businesses fail to take security and privacy into consideration when adding new features or functionality that can invade on customer privacy and weaken the security of the systems they sell. When evaluating whether or not to enable tools like Superfish without their customers' explicit consent, the risk assessment should include a solid understanding of the implications and potential ripple effects of these actions. The problem is that many times those responsible for security and privacy are not part of the decision making process, or are even aware these tools are deployed, so organisations may leave themselves blind to these risks when say a department like marketing makes these types of decisions in a vacuum. But as we can see with the Superfish debacle, something that may have seemed like a good idea at the time to one group can have devastating consequences for a company as a whole."
Darren Anstee, director of solutions architects at Arbor Networks, added in an email to SC: “This attack highlights several potential weak spots an attacker can target. In security you're only as secure as your weakest link - and regardless of the level of security Lenovo has around its own organisation, like any business, it is still vulnerable to attacks on a partner or service provider.
“The security of an organisation is dependent not just on its own security measures, but also how well its partners and suppliers have protected their environments. If the target organisation is well protected, attackers may look for a softer target - a service a business is reliant on, such as DNS, or a supplier that has access to the target's networks and data stores for business purposes.”
Digital forensics expert and white-hat hacker Jonathan Zdziarski added in a message to SC that the attack was likely not even as complex as a DNS compromise, blaming a social engineering campaign instead.
“It wasn't even as complex as a DNS compromise. Someone likely social engineered Lenovo's domain registrar to change the name servers point to. Very low tech.” he said.
“So in a DNS attack there would be some kind of poisoning. What happened here was just re-pointing a domain, like I said it was probably very low-tech and likely involved just social engineering either Lenovo's registrar, or filing a domain transfer somewhere if it wasn't locked.”
“Our entire domain registration system is built on trust between registrars, and if one of them is tricked or misbehaves, it (gives) results like this.”