Security Sense: The Impact and Paradox of Lenovo Domain DNS Hijacking
One of the obvious problems with DNS hijacking is that any website can now be stood up in place of the legitimate one, you simply point the records to a new fraudulent site. In Lenovo’s case, certificate validation is somewhat of a paradoxical situation because much of the concern with the whole Superfish debacle was that anyone could create a cert that "infected" machines would trust.
March 2, 2015
It’s the cyber-equivalent of beating a man while he’s down; last week whilst still in damage control after the Superfish incident, Lenovo became the victim of another security incident, this time when their website was “hacked” and replaced with an image slide show. That term is a little disingenuous though as rather than actually exploiting vulnerabilities in lenovo.com, the attackers simply hijacked the DNS records. Which is kind of even worse in some ways…
Hijacking DNS can be quite trivial, for example if there are weak credentials on the account which controls the records and the attacker simply logs in and modifies them. Another approach is to socially engineer the registrar and take control of the domain. In either event, the attacker now controls the resolution of the name to the destination IP which opens up a whole world of trouble.
One of the obvious problems with DNS hijacking is that any website can now be stood up in place of the legitimate one, you simply point the records to a new fraudulent site. That site may then do anything from harvesting credentials if it’s a spoof site to serving malware to, as was the case with Lenovo, defacement. All of this, however, is only successful when the site is served over an unencrypted connection with no transport layer security. Indeed that’s a value proposition of certificates that’s frequently overlooked – HTTPS requests will need to serve a valid certificate or clients will (or at least should) drop the connection.
Of course in Lenovo’s case, certificate validation is somewhat of a paradoxical situation because much of the concern with the whole Superfish debacle was that anyone could create a cert that “infected” machines would trust. In theory, if lenovo.com had have been served over HTTPS and someone with a Superfish-riddled machine visited the site, the attackers could have served a “valid” certificate as far as the machine was served. You’d then end up with a compromised Lenovo machine browsing a compromised Lenovo host name and the user being none the wiser!
Getting back to DNS hijacking, once you control the name records then you also control the routing of email via the MX records. Consequently, the attackers were able to receive email intended for Lenovo and in a twist of fate, these emails included reports of the site having been compromised. Inevitably there were many more emails received by the attackers of a much more sensitive nature and if ever there needed to be a reminder of the risks involved in sending sensitive information via unencrypted channels on the web, this is it.
Lenovo’s misfortunate is unfortunately far from uncommon. Days later it was Google Vietnam’s domain courtesy of the same attackers and indeed only a few months ago it was Craigslist that got hit. These attacks are enormously effective and take advantage of compromising a resource that often isn’t where much of the security attention is being focussed. The only real saving grace is that as nasty as DNS hijacking is, the fix is usually straight forward – just restore the correct records and then… wait while DNS propagates. It would have felt like a very, very long wait for Lenovo last week.
Troy Hunt
http://troyhunt.com
@troyhunt
Microsoft MVP - Developer Security
About the Author
You May Also Like