Wednesday's hijacking of the Lenovo.com domain name and interception of the company's e-mail was pulled off by first hacking Web Commerce Communications, the registrar that procured the Lenovo address, security journalist Brian Krebs reported.
In a post published Wednesday night, KrebsOnSecurity cited hackers Ryan King and Rory Andrew Godfrey as saying that the compromise of the Malaysia-based registrar was carried out by members of the fame-seeking group Lizard Squad. That's the same group connected to the Lenovo attack, since Web links to a Twitter account belonging to Lizard Squad members were embedded in the spoofed Lenovo website. Krebs wrote:
Reached via instant message, both King and Godfrey said the Lizard Squad used a command injection vulnerability in Webnic.cc to upload a rootkit—a set of hacking tools that hide the intruder’s presence on a compromised system and give the attacker persistent access to that system.
Webnic.cc is currently inaccessible. A woman who answered the phone at the company’s technical operations center in Kuala Lumpur acknowledged the outage but said Webnic doesn’t have any additional information to share at this time. “We’re still in the investigation stage,” said Eevon Soh, a Webnic customer support technician.
It appears the intruders were able to leverage their access at Webnic.cc to alter the domain name system (DNS) records for the Google and Lenovo domains, effectively giving them the ability to redirect the legitimate traffic away from the domains to other servers—including those under the attackers’ control.
The Lenovo.com hijacking was foiled in the early stages thanks to the vigilance of engineers at CloudFlare, a service that helps improve the performance and security of websites. Armed with control over the Lenovo domain, the attackers transferred its registration to redirect to CloudFlare nameservers. The CloudFlare engineers spotted the abnormality and quickly returned control of the domain to its rightful owner. With the hijacking foiled, the attackers tweeted what appeared to be a valid code that authorizes the transfer of a domain from one registrar to another. The attackers reportedly carried out a similar hijacking of a Google domain name earlier this week.