Two days ago, attackers allegedly associated with the fame-seeking group Lizard Squad briefly hijacked Google’s Vietnam domain (google.com.vn). On Wednesday, Lenovo.com was similarly attacked. Sources now tell KrebsOnSecurity that both hijacks were possible because the attackers seized control over Webnic.cc, the Malaysian registrar that serves both domains and 600,000 others.
On Feb. 23, google.com.vn briefly redirected visitors to a page that read, “Hacked by Lizard Squad, greetz from antichrist, Brian Krebs, sp3c, Komodo, ryan, HTP & Rory Andrew Godfrey (holding it down in Texas).” The message also included a link to the group’s Twitter page and its Lizard Stresser online attacks-for-hire service.
Today, the group took credit for hacking Lenovo.com, possibly because it was recently revealed that the computer maker was shipping the invasive Superfish adware with all new Lenovo notebook PCs (the company has since said Superfish is now disabled on all Lenovo products and that it will no longer pre-load the software).
According to a report in TheVerge.com, the HTML source code for Lenovo.com was changed to read, “the new and improved rebranded Lenovo website featuring Ryan King and Rory Andrew Godfrey.”
The Verge story notes that both men have been identified as members of the Lizard Squad; to my knowledge this has never been true. In fact, both used to be part of a black hat and now-defunct hacker collective known as Hack The Planet (HTP) along with one of the main current LizardSquad members — Julius “Zeekill” Kivimaki (for more on Julius, see these stories). However, both King (a.k.a “Starfall”) and Godfrey (“KMS”) have been quite publicly working to undermine and expose the group for months.
Reached via instant message, both King and Godfrey said the Lizard Squad used a command injection vulnerability in Webnic.cc to upload a rootkit — a set of hacking tools that hide the intruder’s presence on a compromised system and give the attacker persistent access to that system.
Webnic.cc is currently inaccessible. A woman who answered the phone at the company’s technical operations center in Kuala Lumpur acknowledged the outage but said Webnic doesn’t have any additional information to share at this time. “We’re still in the investigation stage,” said Eevon Soh, a Webnic customer support technician.
It appears the intruders were able to leverage their access at Webnic.cc to alter the domain name system (DNS) records for the Google and Lenovo domains, effectively giving them the ability to redirect the legitimate traffic away from the domains to other servers — including those under the attackers’ control.
King and Godfrey said the Lizard Squad also gained access to Webnic’s store of “auth codes” (also known as “transfer secrets” or “EPP” codes), unique and closely-guarded codes that can be used to transfer any domain to another registrar. As if to prove this level of access, the Lizard Squad tweeted what they claim is one of the codes.
Starfall and KMS say the rootkit has been removed from Webnic’s servers, meaning the Lizard Squad should no longer be able to hijack Webnic domains with the same method they used to redirect Lenovo.com or Google Vietnam.
This is not the first time these actors have messed with Webnic.cc. Web Commerce Communications Ltd. (Webnic) is a popular registrar among hacker forums and underground stores that traffic in stolen credit cards and identity information, and a great number of those sites are registered through Webnic. It was hardly a coincidence that many of these criminal storefronts which have been hacked over the past couple of years — including rescator[dot]so, and ssndob — were registered at Webnic: All of the same players involved this week’s drama were involved in those hacks as well.