Attackers altered the domain name system (DNS) records for Lenovo.com on Wednesday, allowing them to spoof the computer manufacturer’s website and gain access to the company’s MX mail server records.
Following the attack, users who visited Lenovo’s company page saw a teenager’s slideshow, with the song “Breaking Free” from Disney’s High School Musical playing in the background.
The hijack occurred as a result of the attackers compromising a Lenovo account at Website Commerce Communications Ltd. dba Webnic.cc. By using a command injection vulnerability to upload a rootkit, as reported by Brian Krebs, the attackers were able to access the DNS records at Webnic.cc, which they then leveraged to change the IP address that is called when users visit Lenovo’s site.
According to security researchers at content delivery network CloudFlare, the attackers used servers under CloudFlare’s control to redirect visitors to two IP addresses hosted by Digital Ocean, a company based in the Netherlands.
During this time, the attackers further exploited their access to read through emails sent to Lenovo employees. Some of these mail server records were then posted on Lizard Squad’s (@LizardCircle) Twitter account, as the screenshot below demonstrates:
Many reports allege that Lizard Squad was behind the attack, pointing to a statement posted on Lenovo’s spoofed website on Wednesday that read: “the new and improved rebranded Lenovo website featuring Ryan King and Rory Andrew Godfrey.” A number of media outlets have identified these two individuals as part of Lizard Squad in the past. However, Krebs challenges this assumption and reports that both King and Godfrey were once members of the hacker collective Hack the Planet and are now actively trying to undermine Lizard Squad.
As of this writing, Lenovo’s website has been restored to normal.
Ken Westin, senior security analyst at Tripwire, believes this attack may be in retaliation for revelations regarding the discovery of Superfish adware being installed on Lenovo computers.
“As a result of getting their hands caught in the privacy invading cookie jar with the deployment of the Superfish adware which compromised their customers’ privacy and security, they have made themselves open targets for a number of hacking groups who have essentially declared it open season against Lenovo for their questionable practices,” comments Westin. “Unfortunately as a result of their actions, their brand reputation has taken a significant hit and as a result very few are sympathetic to Lenovo’s website compromise, many feeling they brought it on themselves.”
“This reflects the larger implications of what happens when businesses fail to take security and privacy into consideration when adding new features or functionality that can invade on customer privacy and weaken the security of the systems they sell.”