Hacker group takes over Lenovo's DNS

Posted by   Virus Bulletin on   Feb 26, 2015

As emails were sent to wrong servers, DNSSEC might be worth looking into.

Although, after some initial hesitation, Lenovo was rather frank in its admission of messing up regarding the Superfish adware, it was too late for the damage to be undone and many have directed their 15 minutes of Internet rage at the laptop manufacturer.

Unsurprisingly, that included a group of hacktivists using the moniker 'Lizard Squad', who managed to take over the DNS of lenovo.com last night, thus sending visitors to the company's website to one controlled by the attackers instead. This isn't something one would normally pay a great deal of attention to, because it is fairly innocent as hacks go, and doesn't mean the hackers have obtained access to the victim's network.

  Source: xkcd.

However, what makes this case both interesting and worrying is that the attackers not only changed the DNS A record — which made the website point to a different IP address — but they did the same to the MX records. This caused all email to @lenovo.com email addresses to be sent to a server controlled by the attackers as well. The potential for damage in this instance is far greater, even if the emails posted as proof on the group's Twitter account don't exactly reveal trade secrets and, as Ars Technica writes, the DNS was restored fairly quickly.

As domain hijacks have become fairly prevalent in recent years, and as rogue DNS servers and DNS cache poisoning mean one can never be absolutely certain that DNS responses are correct, DNSSEC is worth looking into. Though not a silver bullet against domain takeovers, and though it has strong opponents, it does sign DNS responses cryptographically. If Lenovo had used DNSSEC, and if a sender had verified the responses, email would not have ended up in the wrong hands.

  While the DNS root and the .com top-level domain are signed, lenovo.com isn't. Source: Verisign's DNSSEC Analyzer.

At VB2014, CloudFlare researcher Nick Sullivan presented a paper on DNSSEC (also available as PDF here), that provides a very good introduction into the subject. You can also watch Nick's presentation on our YouTube channel.

Update: Several people have pointed out that hijacking a domain by gaining access to the registrar makes it trivial to get the new records signed by DNSSEC as well, making DNSSEC less suitable to contain the damage caused by domain hijacks.

Posted on 26 February 2015 by Martijn Grooten

 Tags

twitter.png
fb.png
linkedin.png
hackernews.png
reddit.png

 

Latest posts:

In memoriam: Prof. Ross Anderson

We were very sorry to learn of the passing of Professor Ross Anderson a few days ago.

In memoriam: Dr Alan Solomon

We were very sorry to learn of the passing of industry pioneer Dr Alan Solomon earlier this week.

New paper: Nexus Android banking botnet – compromising C&C panels and dissecting mobile AppInjects

In a new paper, researchers Aditya K Sood and Rohit Bansal provide details of a security vulnerability in the Nexus Android botnet C&C panel that was exploited in order to gather threat intelligence, and present a model of mobile AppInjects.

New paper: Collector-stealer: a Russian origin credential and information extractor

In a new paper, F5 researchers Aditya K Sood and Rohit Chaturvedi present a 360 analysis of Collector-stealer, a Russian-origin credential and information extractor.

VB2021 localhost videos available on YouTube

VB has made all VB2021 localhost presentations available on the VB YouTube channel, so you can now watch - and share - any part of the conference freely and without registration.

We have placed cookies on your device in order to improve the functionality of this site, as outlined in our cookies policy. However, you may delete and block all cookies from this site and your use of the site will be unaffected. By continuing to browse this site, you are agreeing to Virus Bulletin's use of data as outlined in our privacy policy.